PatchSiren cyber security CVE debrief
CVE-2026-8486 Progress Software CVE debrief
CVE-2026-8486 is a medium-severity availability flaw in Progress Software MOVEit Automation. The issue is described as allocation of resources without limits or throttling, which can allow flooding and degrade service availability. The affected ranges listed in the CVE are versions before 2025.0.11 and versions from 2025.1.0 before 2025.1.7. The NVD record currently lists the vulnerability status as undergoing analysis, and the supplied vendor reference points to Progress release notes for the fixed issues.
- Vendor
- Progress Software
- Product
- MOVEit Automation
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
Organizations running MOVEit Automation, especially administrators, operations teams, and patch managers responsible for internet-facing file transfer or workflow services. Security teams should pay attention because the issue is network-reachable, requires no privileges or user interaction, and impacts availability.
Technical summary
The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, which indicates a network-exploitable issue with low attack complexity and no authentication or user interaction required. The weakness is mapped to CWE-770, allocation of resources without limits or throttling. Based on the provided description, the practical risk is service flooding or resource exhaustion rather than direct data theft or tampering.
Defensive priority
Medium. The issue does not indicate confidentiality or integrity impact in the supplied CVSS vector, but it can still cause service degradation or outages in exposed MOVEit Automation deployments.
Recommended defensive actions
- Inventory all MOVEit Automation instances and identify versions in the affected ranges.
- Upgrade to the vendor-fixed releases referenced by the CVE: 2025.0.11 or later for the 2025.0 line, and 2025.1.7 or later for the 2025.1 line.
- Review Progress release notes and deployment guidance before and after patching to confirm the correct maintenance path for each installation.
- If immediate patching is not possible, reduce exposure with network controls and monitor for abnormal request rates, resource spikes, and service degradation.
- Validate the update after installation and confirm the service is running the expected fixed build.
- Set up alerting for repeated connection attempts or signs of flooding against MOVEit Automation endpoints.
Evidence notes
The debrief is based only on the supplied NVD record and the linked Progress release-notes page. The CVE description explicitly states the affected version ranges and the nature of the flaw. NVD currently marks the record as undergoing analysis. The vendor mapping in the supplied data is low confidence, so the product is described as Progress Software MOVEit Automation because that is the product named in the CVE description and vendor reference.
Official resources
-
CVE-2026-8486 CVE record
CVE.org
-
CVE-2026-8486 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Published on 2026-05-20 in the official CVE/NVD record. The supplied NVD entry cites Progress release notes as the remediation reference and currently lists the vulnerability status as undergoing analysis. No KEV listing is present in theä¾›?