Skip to main content

MOVEit Automation CVE-2026-8487

| EUVDEUVD-2026-31120 MEDIUM
Incorrect Default Permissions (CWE-276)
2026-05-20 ProgressSoftware GHSA-58jp-6f6m-4v4f
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 20, 2026 - 16:02 vuln.today
Patch available
May 20, 2026 - 16:01 EUVD

DescriptionCVE.org

Incorrect default permissions vulnerability in Progress Software MOVEit Automation allows Retrieve Embedded Sensitive Data.

This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.

AnalysisAI

Incorrect default permissions in Progress Software MOVEit Automation expose embedded sensitive data to authenticated low-privileged users over the network. Affected versions span the 2025.0.x line before 2025.0.11 and the 2025.1.x line before 2025.1.7. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:H) indicates that any network-accessible instance running a vulnerable version can be exploited by a legitimately authenticated user with minimal privileges, resulting in high confidentiality impact with no integrity or availability loss. No public exploit identified at time of analysis and this CVE is not listed in CISA KEV.

Technical ContextAI

MOVEit Automation (CPE: cpe:2.3:a:progress_software:moveit_automation:*:*:*:*:*:*:*:*) is a managed file transfer automation platform commonly used in enterprise and government environments to orchestrate file workflows. The root cause is CWE-276 (Incorrect Default Permissions), a class of vulnerability where software ships with permission settings that grant broader access than intended. In this case, the application fails to restrict access to objects or files containing embedded sensitive data - such as credentials, keys, or configuration secrets stored inline within automation task definitions or workflow configurations - to only the privilege levels that require them. Because the flaw is in the default permission model rather than a specific feature toggle, any authenticated user session operates under the misconfigured access model without requiring any special setup.

RemediationAI

Upgrade to MOVEit Automation 2025.0.11 or 2025.1.7 (or later within their respective branches) as documented in the vendor advisory at https://docs.progress.com/bundle/moveit-automation-release-notes-2026/page/Fixed-Issues-2026.html. Vendor-released patch versions are confirmed from the advisory. If immediate patching is not possible, administrators should audit and manually harden permissions on automation task definitions and workflow objects that contain embedded credentials or sensitive configuration values, restricting read access to only the roles and service accounts that operationally require it. Additionally, rotating any credentials that may have been embedded in accessible automation objects is advisable as a precaution, since it cannot be confirmed whether the data was accessed prior to patching. Restricting MOVEit Automation web console access to trusted network segments via firewall rules reduces the exposed attack surface while patching is pending, though this does not eliminate risk from insider threats or already-compromised accounts.

Share

CVE-2026-8487 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy