CVE-2026-8487 Overview
CVE-2026-8487 is an incorrect default permissions vulnerability in Progress Software MOVEit Automation. The flaw lets an authenticated low-privileged user retrieve embedded sensitive data that should be restricted. The issue is classified under [CWE-276] Incorrect Default Permissions and is exploitable over the network.
Affected versions include MOVEit Automation releases before 2025.0.11 and versions from 2025.1.0 before 2025.1.7. Progress Software has issued fixed releases addressing the permission misconfiguration.
Critical Impact
An authenticated attacker with low privileges can read embedded sensitive data within MOVEit Automation, exposing credentials or configuration material used by managed file transfer workflows.
Affected Products
- Progress MOVEit Automation versions prior to 2025.0.11
- Progress MOVEit Automation 2025.1.0 through versions prior to 2025.1.7
- Deployments using default permission configurations on MOVEit Automation tasks and credentials
Discovery Timeline
- 2026-05-20 - CVE-2026-8487 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-8487
Vulnerability Analysis
MOVEit Automation orchestrates scheduled file transfer tasks and stores embedded sensitive data including credentials, connection strings, and keys used by transfer workflows. The vulnerability stems from incorrect default permissions applied to these embedded objects. Low-privileged authenticated users gain read access to data the application should restrict to administrators.
The weakness maps to [CWE-276], where the product assigns overly permissive defaults to a resource at creation. An attacker who already holds a valid account on the MOVEit Automation instance can query or browse application data and recover sensitive material. Successful exploitation impacts confidentiality without altering data or disrupting service.
Root Cause
The root cause is a misconfigured default permission model on objects holding embedded sensitive data inside MOVEit Automation. Permissions granted to standard application roles include read access that should be reserved for administrative roles. Progress addressed the issue in maintenance releases 2025.0.11 and 2025.1.7 by tightening the default access controls.
Attack Vector
The attack vector is network-based and requires low privileges with no user interaction. An attacker authenticates to MOVEit Automation with any valid low-privileged account and then accesses objects or interfaces that expose embedded sensitive data. No exploit code is publicly available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Detailed mechanics are described in the Progress Release Notes 2026.
// No verified proof-of-concept code is available for CVE-2026-8487.
// Exploitation requires an authenticated low-privileged session against
// MOVEit Automation and access to objects storing embedded credentials
// or other sensitive configuration data.
Detection Methods for CVE-2026-8487
Indicators of Compromise
- Unexpected read access by non-administrative MOVEit Automation accounts to task definitions, credential stores, or connection profiles
- Audit log entries showing low-privileged users enumerating embedded resources or exporting task configurations
- Outbound use of MOVEit-managed credentials from unexpected hosts or at unusual times
Detection Strategies
- Review MOVEit Automation audit logs for read or export operations on objects containing credentials performed by non-admin roles
- Correlate authentication events to MOVEit Automation with subsequent access to credential or task metadata endpoints
- Compare effective permissions assigned to MOVEit Automation roles against the vendor-recommended baseline after upgrade
Monitoring Recommendations
- Forward MOVEit Automation application logs to a centralized SIEM and alert on privilege escalation patterns and credential reads
- Monitor for use of service credentials managed by MOVEit Automation across downstream SFTP, FTPS, and cloud storage endpoints
- Establish a baseline of normal task execution and flag deviations such as unscheduled exports of task configurations
How to Mitigate CVE-2026-8487
Immediate Actions Required
- Upgrade MOVEit Automation to version 2025.0.11 or 2025.1.7 or later as published by Progress Software
- Audit all MOVEit Automation user accounts and remove unused or unnecessary low-privileged accounts
- Rotate credentials, API keys, and connection secrets stored within MOVEit Automation tasks following the upgrade
Patch Information
Progress Software released fixed builds in MOVEit Automation 2025.0.11 and 2025.1.7. Patch details and remediation guidance are published in the Progress Release Notes 2026. Apply the appropriate fix according to the deployed release train.
Workarounds
- Restrict MOVEit Automation console and API access to administrative networks until the patch is applied
- Review role assignments and remove read permissions from non-administrative roles on objects holding sensitive data
- Enable multi-factor authentication on MOVEit Automation accounts to reduce risk from credential compromise
# Example: verify installed MOVEit Automation version on Windows host
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Standard Networks\MOVEitAutomation" |
Select-Object Version, InstallDir
# Confirm version is >= 2025.0.11 or >= 2025.1.7 before returning to production
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
