PatchSiren cyber security CVE debrief
CVE-2026-8487 Progress Software CVE debrief
CVE-2026-8487 is an incorrect default permissions issue affecting Progress Software MOVEit Automation. According to the official NVD summary and Progress release notes reference, the flaw can allow retrieval of embedded sensitive data and affects MOVEit Automation versions before 2025.0.11 and from 2025.1.0 before 2025.1.7. The published CVSS 3.1 vector indicates network access, low attack complexity, low privileges, and confidentiality impact only. This is not listed as a KEV item in the supplied enrichment data, but it should still be addressed promptly because permission misconfiguration can expose secrets or other embedded data to unintended readers.
- Vendor
- Progress Software
- Product
- MOVEit Automation
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
MOVEit Automation administrators, IAM and platform owners, security operations teams, and incident responders responsible for systems that may store embedded credentials, tokens, or other sensitive data in application content or configuration.
Technical summary
NVD records the issue as CWE-276 (Incorrect Default Permissions) with CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The affected product and version ranges are MOVEit Automation before 2025.0.11 and from 2025.1.0 before 2025.1.7, as referenced by Progress's fixed-issues release notes. The security impact is confidentiality loss: an actor with low privileges may be able to retrieve embedded sensitive data because of overly permissive defaults.
Defensive priority
Medium. The issue is remotely reachable, low complexity, and can expose sensitive data, but the impact is limited to confidentiality and the supplied data does not indicate active exploitation or KEV inclusion.
Recommended defensive actions
- Upgrade MOVEit Automation to a fixed release at or above 2025.0.11, or to 2025.1.7 or later, following Progress's release guidance.
- Review any files, jobs, scripts, or configuration locations that may contain embedded secrets or sensitive data and reduce their exposure.
- Verify application and filesystem permissions for MOVEit Automation deployments to ensure defaults are not broader than intended.
- Audit access controls and service accounts that can read MOVEit Automation content, especially where low-privilege accounts are used.
- Check for any sensitive material that may already have been exposed through misconfigured permissions and rotate secrets if exposure is suspected.
Evidence notes
The description and version range are taken from the supplied CVE summary. NVD metadata identifies CWE-276 and the CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, which supports a confidentiality-focused, low-privilege remote issue. The supplied official reference from Progress points to the MOVEit Automation 2026 fixed-issues release notes, which is the only vendor source in the corpus. The vendor mapping in the input is marked low-confidence/needs review, so the debrief treats Progress Software MOVEit Automation as the most directly supported product identity from the source corpus.
Official resources
-
CVE-2026-8487 CVE record
CVE.org
-
CVE-2026-8487 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Published 2026-05-20T16:16:27.463Z and last modified 2026-05-20T17:32:35.827Z. The supplied data does not mark this CVE as a KEV item and does not indicate confirmed ransomware campaign use.