Skip to content
Threat Feed
Subscribe
high advisory

Multiple Vulnerabilities in Progress MOVEit Automation

Multiple vulnerabilities in Progress MOVEit Automation allow for remote denial of service, security policy bypass, and unspecified security issues.

On May 21, 2026, CERT-FR published an advisory regarding multiple vulnerabilities in Progress MOVEit Automation. These vulnerabilities, identified by CVE-2026-8485, CVE-2026-8486, CVE-2026-8487, and CVE-2026-8488, can lead to remote denial-of-service (DoS), security policy bypass, and unspecified security compromises. The affected versions include MOVEit Automation versions 2025.1.x prior to 2025.1.7 and versions prior to 2025.0.11. Defenders should apply the patches released by Progress to mitigate these risks and ensure the confidentiality, integrity, and availability of MOVEit Automation instances.

Attack Chain

  1. An attacker identifies a vulnerable MOVEit Automation instance running a version prior to 2025.0.11 or 2025.1.7.
  2. The attacker exploits CVE-2026-8485, CVE-2026-8486, CVE-2026-8487, or CVE-2026-8488 to gain unauthorized access.
  3. Depending on the specific vulnerability exploited, the attacker bypasses security policies implemented within MOVEit Automation.
  4. The attacker crafts malicious requests to trigger a denial-of-service condition, impacting the availability of MOVEit Automation services.
  5. The attacker leverages the unspecified security vulnerability to perform unauthorized actions.
  6. The attacker may attempt to escalate privileges within the MOVEit Automation system.
  7. The attacker may attempt to access sensitive data stored or processed by MOVEit Automation.
  8. The attacker disrupts or disables MOVEit Automation services.

Impact

Successful exploitation of these vulnerabilities can lead to significant disruption of file transfer operations, potential data breaches, and reputational damage. Organizations relying on MOVEit Automation for critical file transfers may experience service outages, compliance violations, and financial losses. The unspecified vulnerability could potentially allow for more severe impacts, such as data exfiltration or complete system compromise.

Recommendation

  • Immediately patch MOVEit Automation instances to version 2025.1.7 or later to remediate CVE-2026-8485, CVE-2026-8486, CVE-2026-8487, and CVE-2026-8488 as referenced in the advisory.
  • Monitor web server logs for suspicious activity targeting MOVEit Automation endpoints to detect potential exploitation attempts.
  • Deploy the Sigma rule "Detect MOVEit Automation Security Policy Bypass Attempt" to identify potential security policy circumvention.

Detection coverage 2

Detect MOVEit Automation Security Policy Bypass Attempt

medium

Detects attempts to bypass security policies in Progress MOVEit Automation by monitoring for abnormal access patterns or unauthorized file access attempts.

sigma tactics: defense_evasion techniques: T1068 sources: webserver

Detect MOVEit Automation Remote Denial of Service Attempt

medium

Detects potential remote denial-of-service (DoS) attacks against Progress MOVEit Automation by monitoring for excessive requests or abnormal traffic patterns.

sigma tactics: impact techniques: T1499.001 sources: webserver

Detection queries are available on the platform. Get full rules →