CVE-2026-8485 Progress Software CVE debrief

Who should care

Administrators and security teams responsible for Progress MOVEit Automation deployments, especially environments running versions earlier than 2025.0.11 or in the 2025.1.x line before 2025.1.7.

Technical summary

The vendor-described weakness is CWE-789 (uncontrolled memory allocation). In practical terms, affected MOVEit Automation versions may allocate excessive memory under certain conditions, creating a denial-of-service risk. The NVD CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network exposure, no authentication or user interaction requirement, and primary impact to availability.

Defensive priority

Moderate. This is not a confidentiality or integrity issue in the supplied data, but it can still disrupt service. Prioritize if MOVEit Automation is externally reachable or business-critical.

Recommended defensive actions

• Upgrade MOVEit Automation to a fixed version: 2025.0.11 or later on the 2025.0 line, or 2025.1.7 or later on the 2025.1 line.
• Inventory all MOVEit Automation deployments to confirm whether any affected versions are present.
• Use the Progress release notes reference to verify the fixed-issues guidance for your exact release track.
• Treat unexpected resource exhaustion or service instability in MOVEit Automation as a security signal until patched.
• If immediate upgrade is not possible, reduce exposure of the application and monitor for abnormal memory consumption or service degradation.

Evidence notes

Affected versions and the CWE mapping are taken from the supplied NVD record metadata, which cites Progress as the source of the weakness description. The only product-specific remediation reference supplied is Progress's fixed-issues release notes page. No KEV entry was supplied for this CVE.

Official resources