Skip to main content

MOVEit Automation CVE-2026-8486

| EUVDEUVD-2026-31121 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-20 ProgressSoftware GHSA-3rgf-7jf4-5qfc
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 20, 2026 - 16:02 vuln.today
Patch available
May 20, 2026 - 16:01 EUVD

DescriptionCVE.org

Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation allows Flooding.

This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.

AnalysisAI

Unauthenticated remote flooding of Progress Software MOVEit Automation exploits a missing resource throttling control (CWE-770), allowing an attacker to degrade service availability without any credentials or user interaction. Affected versions span the 2025.0.x branch (before 2025.0.11) and the 2025.1.x branch (before 2025.1.7). Progress Software has released patched versions; no public exploit code or CISA KEV listing has been identified at time of analysis, though MOVEit products remain high-value targets given their history as enterprise MFT infrastructure.

Technical ContextAI

MOVEit Automation (CPE: cpe:2.3:a:progress_software:moveit_automation) is Progress Software's enterprise managed file transfer orchestration platform, used to automate and schedule file transfer workflows across organizations. The root cause class is CWE-770 - Allocation of Resources Without Limits or Throttling - meaning the application does not enforce caps on resource consumption such as concurrent connections, memory allocation, request queues, or thread creation when handling inbound network requests. This structural gap allows a flood of incoming requests to progressively consume available server resources. The CVSS vector confirms the attack is network-delivered (AV:N), requires no authentication (PR:N), imposes no complexity barrier (AC:L), and demands no user interaction (UI:N), making the flooding technique trivially executable by any reachable attacker.

RemediationAI

Vendor-released patches are available: upgrade MOVEit Automation to version 2025.0.11 or later on the 2025.0.x branch, or to version 2025.1.7 or later on the 2025.1.x branch, as documented in the Progress Software release notes at https://docs.progress.com/bundle/moveit-automation-release-notes-2026/page/Fixed-Issues-2026.html. If immediate patching is not operationally feasible, place MOVEit Automation behind a rate-limiting reverse proxy or web application firewall configured to throttle per-source-IP connection and request rates, which directly mitigates the unbounded allocation condition; note this introduces an additional infrastructure layer and may introduce latency for high-frequency legitimate automation jobs. Where the client IP space is known and bounded (e.g., internal automation peers only), network-layer ACLs restricting inbound access to trusted source CIDRs provide an effective compensating control with minimal operational impact, though this is impractical for externally-facing automation endpoints. Monitor for abnormal connection volume spikes as an early indicator of exploitation attempts.

Share

CVE-2026-8486 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy