Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation allows Excessive Allocation.
This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.
AnalysisAI
Unauthenticated resource exhaustion in Progress Software MOVEit Automation enables a low-privileged remote attacker to degrade availability by triggering excessive resource allocation without server-side throttling controls. Affecting all MOVEit Automation releases prior to 2025.0.11 and the 2025.1.x branch prior to 2025.1.7, successful exploitation results in limited availability impact (A:L per CVSS) against the targeted instance. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis; the vendor has released patched versions.
Technical ContextAI
CWE-770 (Allocation of Resources Without Limits or Throttling) describes a failure to impose caps on resource consumption - such as memory, threads, connections, or processing time - allowing an attacker to starve the application of capacity. In MOVEit Automation (CPE: cpe:2.3:a:progress_software:moveit_automation:*:*:*:*:*:*:*:*), this is a server-side automation workflow engine by Progress Software. The CVSS vector (AV:N/AC:L/PR:L) indicates the vulnerable code path is reachable over the network with low complexity, but requires a low-privileged authenticated session, suggesting the allocation sink exists within an authenticated API or workflow execution surface. The scope is unchanged (S:U), meaning exploitation is contained within the MOVEit Automation process boundary and does not cascade to the underlying OS or adjacent systems.
RemediationAI
The primary remediation is to upgrade to a patched release: organizations on the stable branch should upgrade to MOVEit Automation 2025.0.11 or later; organizations on the 2025.1.x branch should upgrade to 2025.1.7 or later. Both fix versions are confirmed by the vendor advisory at https://docs.progress.com/bundle/moveit-automation-release-notes-2026/page/Fixed-Issues-2026.html. If immediate patching is not feasible, compensating controls include restricting low-privileged account creation and auditing existing accounts to minimize the pool of authenticated users who could trigger the condition, rate-limiting inbound authenticated API requests at a WAF or reverse proxy layer, and monitoring for abnormal resource consumption spikes on the MOVEit Automation host. Note that network-layer throttling cannot fully substitute for the server-side fix, as the allocation logic itself remains unbounded; these controls reduce exposure but do not eliminate the risk.
More in Moveit Automation
View allAuthentication bypass in Progress MOVEit Automation allows remote unauthenticated attackers to completely circumvent aut
Improper input validation in Progress MOVEit Automation enables authenticated low-privilege attackers to escalate privil
The Progress MOVEit Automation configuration export function prior to 2024.0.0 uses a cryptographic method with insuffic
Incorrect default permissions in Progress Software MOVEit Automation expose embedded sensitive data to authenticated low
An issue was discovered in Progress MOVEit Automation Web Admin. Rated medium severity (CVSS 6.1), this vulnerability is
Uncontrolled memory allocation in Progress Software MOVEit Automation exposes the application to remote denial-of-servic
Unauthenticated remote flooding of Progress Software MOVEit Automation exploits a missing resource throttling control (C
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31119
GHSA-rcwv-f9jp-p684