Skip to main content

MOVEit Automation CVE-2026-8485

| EUVDEUVD-2026-31115 MEDIUM
Memory Allocation with Excessive Size Value (CWE-789)
2026-05-20 security@progress.com GHSA-cpwg-526g-9gc5
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
May 20, 2026 - 15:17 EUVD
Analysis Generated
May 20, 2026 - 14:33 vuln.today

DescriptionCVE.org

Uncontrolled Memory Allocation vulnerability in Progress Software MOVEit Automation allows Excessive Allocation.

This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.

AnalysisAI

Uncontrolled memory allocation in Progress Software MOVEit Automation exposes the application to remote denial-of-service via excessive resource consumption. Unauthenticated network attackers can trigger the flaw against versions prior to 2025.0.11 and 2025.1.x prior to 2025.1.7, resulting in availability loss with no confidentiality or integrity impact per the CVSS vector. No public exploit code and no CISA KEV listing have been identified at time of analysis; risk is moderated by high attack complexity.

Technical ContextAI

CWE-789 (Uncontrolled Memory Allocation) describes a class of defects where an application allocates memory based on an attacker-controlled value without sufficient bounds checking or validation. In MOVEit Automation - Progress Software's workflow automation component of the MOVEit file transfer platform - the application apparently accepts a network-supplied parameter that drives a memory allocation call, allowing an adversary to cause the process to request arbitrarily large heap regions. The affected CPE scope encompasses two distinct version branches: the 2025.0.x line (all releases before 2025.0.11) and the 2025.1.x line (2025.1.0 through pre-2025.1.7), as confirmed by the vendor release notes reference. The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U) indicates the flaw is network-reachable and requires no authentication, but high attack complexity (AC:H) implies that triggering the condition reliably requires non-trivial knowledge of a specific request structure, timing, or protocol state.

RemediationAI

Upgrade MOVEit Automation to version 2025.0.11 or later for the 2025.0.x branch, or to version 2025.1.7 or later for the 2025.1.x branch, as documented in the vendor release notes at https://docs.progress.com/bundle/moveit-automation-release-notes-2026/page/Fixed-Issues-2026.html. If immediate patching is not possible, compensating controls should focus on reducing the attack surface: restrict network access to the MOVEit Automation management and API endpoints at the perimeter firewall or load balancer, limiting exposure to trusted IP ranges only - this directly counters the AV:N attack vector. Additionally, resource limits (OS-level memory quotas or container cgroups) on the MOVEit Automation process can cap the blast radius of a successful exploitation attempt, preventing a full-system memory exhaustion at the cost of potential performance degradation under legitimate high-load conditions. No workarounds that eliminate the vulnerability without patching are confirmed in the available data.

Share

CVE-2026-8485 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy