Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Incorrect default permissions vulnerability in Progress Software MOVEit Automation allows Retrieve Embedded Sensitive Data.
This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.
AnalysisAI
Incorrect default permissions in Progress Software MOVEit Automation expose embedded sensitive data to authenticated low-privileged users over the network. Affected versions span the 2025.0.x line before 2025.0.11 and the 2025.1.x line before 2025.1.7. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:H) indicates that any network-accessible instance running a vulnerable version can be exploited by a legitimately authenticated user with minimal privileges, resulting in high confidentiality impact with no integrity or availability loss. No public exploit identified at time of analysis and this CVE is not listed in CISA KEV.
Technical ContextAI
MOVEit Automation (CPE: cpe:2.3:a:progress_software:moveit_automation:*:*:*:*:*:*:*:*) is a managed file transfer automation platform commonly used in enterprise and government environments to orchestrate file workflows. The root cause is CWE-276 (Incorrect Default Permissions), a class of vulnerability where software ships with permission settings that grant broader access than intended. In this case, the application fails to restrict access to objects or files containing embedded sensitive data - such as credentials, keys, or configuration secrets stored inline within automation task definitions or workflow configurations - to only the privilege levels that require them. Because the flaw is in the default permission model rather than a specific feature toggle, any authenticated user session operates under the misconfigured access model without requiring any special setup.
RemediationAI
Upgrade to MOVEit Automation 2025.0.11 or 2025.1.7 (or later within their respective branches) as documented in the vendor advisory at https://docs.progress.com/bundle/moveit-automation-release-notes-2026/page/Fixed-Issues-2026.html. Vendor-released patch versions are confirmed from the advisory. If immediate patching is not possible, administrators should audit and manually harden permissions on automation task definitions and workflow objects that contain embedded credentials or sensitive configuration values, restricting read access to only the roles and service accounts that operationally require it. Additionally, rotating any credentials that may have been embedded in accessible automation objects is advisable as a precaution, since it cannot be confirmed whether the data was accessed prior to patching. Restricting MOVEit Automation web console access to trusted network segments via firewall rules reduces the exposed attack surface while patching is pending, though this does not eliminate risk from insider threats or already-compromised accounts.
More in Moveit Automation
View allAuthentication bypass in Progress MOVEit Automation allows remote unauthenticated attackers to completely circumvent aut
Improper input validation in Progress MOVEit Automation enables authenticated low-privilege attackers to escalate privil
The Progress MOVEit Automation configuration export function prior to 2024.0.0 uses a cryptographic method with insuffic
An issue was discovered in Progress MOVEit Automation Web Admin. Rated medium severity (CVSS 6.1), this vulnerability is
Uncontrolled memory allocation in Progress Software MOVEit Automation exposes the application to remote denial-of-servic
Unauthenticated remote flooding of Progress Software MOVEit Automation exploits a missing resource throttling control (C
Unauthenticated resource exhaustion in Progress Software MOVEit Automation enables a low-privileged remote attacker to d
Same weakness CWE-276 – Incorrect Default Permissions
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31120
GHSA-58jp-6f6m-4v4f