CVE-2026-8486 Overview
CVE-2026-8486 is a resource allocation vulnerability affecting Progress Software MOVEit Automation. The flaw stems from the absence of resource limits or throttling controls [CWE-770]. Remote attackers can flood the application with requests, exhausting available resources and degrading service availability. The vulnerability is reachable over the network without authentication or user interaction. Progress Software addressed the issue in MOVEit Automation versions 2025.0.11 and 2025.1.7.
Critical Impact
Unauthenticated attackers can trigger a denial-of-service condition against MOVEit Automation by exhausting system resources through unthrottled requests, disrupting managed file transfer workflows.
Affected Products
- Progress Software MOVEit Automation versions prior to 2025.0.11
- Progress Software MOVEit Automation versions 2025.1.0 through 2025.1.6
- Progress Software MOVEit Automation deployments exposed to untrusted networks
Discovery Timeline
- 2026-05-20 - CVE-2026-8486 published to the National Vulnerability Database
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-8486
Vulnerability Analysis
MOVEit Automation handles managed file transfer (MFT) workflows used in enterprise environments to schedule and orchestrate file movement. The vulnerability stems from the application accepting inbound requests without enforcing rate limits, connection caps, or resource quotas. An attacker can submit a high volume of requests to consume CPU, memory, file descriptors, or thread pool capacity.
The weakness is categorized as Allocation of Resources Without Limits or Throttling [CWE-770]. Because the attack vector is network-based and requires no privileges or user interaction, any reachable MOVEit Automation endpoint is exposed. Successful exploitation degrades availability but does not affect confidentiality or integrity.
Root Cause
The root cause is missing throttling logic in the request handling path. The application fails to enforce upper bounds on concurrent connections, request rates, or per-client resource consumption. This allows a single attacker, or a small set of sources, to monopolize server resources and starve legitimate workloads.
Attack Vector
An attacker sends a sustained stream of requests to an exposed MOVEit Automation instance. Because no authentication is required to trigger resource allocation, the attacker does not need valid credentials. The flood continues until the service becomes unresponsive or scheduled file transfer jobs fail to execute within their expected windows.
No verified exploit code is publicly available. See the Progress MOVEit Automation Release Notes for vendor-provided technical context.
Detection Methods for CVE-2026-8486
Indicators of Compromise
- Sudden spikes in inbound connection counts or request rates against MOVEit Automation listeners
- MOVEit Automation process consuming abnormal CPU, memory, or handle counts without corresponding scheduled job activity
- Failed or delayed managed file transfer jobs coinciding with periods of high request volume
- Application logs showing thread pool exhaustion, connection queue overflow, or timeout errors
Detection Strategies
- Baseline normal request volumes to MOVEit Automation endpoints and alert on statistically significant deviations
- Correlate web server access logs with system performance counters to identify resource saturation patterns
- Monitor for repeated requests from a small number of source IP addresses targeting the same endpoint
Monitoring Recommendations
- Forward MOVEit Automation application and IIS logs to a centralized SIEM for correlation and retention
- Track host-level metrics including CPU, memory, network sockets, and process handles on MOVEit servers
- Alert when scheduled file transfer jobs fail or exceed historical execution times
How to Mitigate CVE-2026-8486
Immediate Actions Required
- Upgrade MOVEit Automation to version 2025.0.11 or 2025.1.7 or later as published by Progress Software
- Restrict network access to MOVEit Automation management and API endpoints using firewall rules and allow-lists
- Place MOVEit Automation behind a reverse proxy or web application firewall configured with rate limiting
Patch Information
Progress Software fixed CVE-2026-8486 in MOVEit Automation 2025.0.11 and 2025.1.7. Customers running any version prior to 2025.0.11, or any 2025.1.x release before 2025.1.7, should apply the vendor update. Refer to the Progress MOVEit Automation Release Notes for download links and upgrade guidance.
Workarounds
- Apply network-level rate limiting at upstream load balancers or web application firewalls to cap requests per source
- Limit exposure of MOVEit Automation interfaces to trusted management networks and VPN segments
- Configure connection limits and request queue thresholds on the hosting web server where supported
- Increase monitoring sensitivity on MOVEit hosts so resource exhaustion is detected before downstream jobs fail
# Configuration example: restrict MOVEit Automation access at the host firewall (Windows)
New-NetFirewallRule -DisplayName "MOVEit Automation - Allow Mgmt Subnet" `
-Direction Inbound -Protocol TCP -LocalPort 443 `
-RemoteAddress 10.10.20.0/24 -Action Allow
New-NetFirewallRule -DisplayName "MOVEit Automation - Block Other" `
-Direction Inbound -Protocol TCP -LocalPort 443 `
-Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
