Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation allows Flooding.
This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.
AnalysisAI
Unauthenticated remote flooding of Progress Software MOVEit Automation exploits a missing resource throttling control (CWE-770), allowing an attacker to degrade service availability without any credentials or user interaction. Affected versions span the 2025.0.x branch (before 2025.0.11) and the 2025.1.x branch (before 2025.1.7). Progress Software has released patched versions; no public exploit code or CISA KEV listing has been identified at time of analysis, though MOVEit products remain high-value targets given their history as enterprise MFT infrastructure.
Technical ContextAI
MOVEit Automation (CPE: cpe:2.3:a:progress_software:moveit_automation) is Progress Software's enterprise managed file transfer orchestration platform, used to automate and schedule file transfer workflows across organizations. The root cause class is CWE-770 - Allocation of Resources Without Limits or Throttling - meaning the application does not enforce caps on resource consumption such as concurrent connections, memory allocation, request queues, or thread creation when handling inbound network requests. This structural gap allows a flood of incoming requests to progressively consume available server resources. The CVSS vector confirms the attack is network-delivered (AV:N), requires no authentication (PR:N), imposes no complexity barrier (AC:L), and demands no user interaction (UI:N), making the flooding technique trivially executable by any reachable attacker.
RemediationAI
Vendor-released patches are available: upgrade MOVEit Automation to version 2025.0.11 or later on the 2025.0.x branch, or to version 2025.1.7 or later on the 2025.1.x branch, as documented in the Progress Software release notes at https://docs.progress.com/bundle/moveit-automation-release-notes-2026/page/Fixed-Issues-2026.html. If immediate patching is not operationally feasible, place MOVEit Automation behind a rate-limiting reverse proxy or web application firewall configured to throttle per-source-IP connection and request rates, which directly mitigates the unbounded allocation condition; note this introduces an additional infrastructure layer and may introduce latency for high-frequency legitimate automation jobs. Where the client IP space is known and bounded (e.g., internal automation peers only), network-layer ACLs restricting inbound access to trusted source CIDRs provide an effective compensating control with minimal operational impact, though this is impractical for externally-facing automation endpoints. Monitor for abnormal connection volume spikes as an early indicator of exploitation attempts.
More in Moveit Automation
View allAuthentication bypass in Progress MOVEit Automation allows remote unauthenticated attackers to completely circumvent aut
Improper input validation in Progress MOVEit Automation enables authenticated low-privilege attackers to escalate privil
The Progress MOVEit Automation configuration export function prior to 2024.0.0 uses a cryptographic method with insuffic
Incorrect default permissions in Progress Software MOVEit Automation expose embedded sensitive data to authenticated low
An issue was discovered in Progress MOVEit Automation Web Admin. Rated medium severity (CVSS 6.1), this vulnerability is
Uncontrolled memory allocation in Progress Software MOVEit Automation exposes the application to remote denial-of-servic
Unauthenticated resource exhaustion in Progress Software MOVEit Automation enables a low-privileged remote attacker to d
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31121
GHSA-3rgf-7jf4-5qfc