Description
Incorrect default permissions vulnerability in Progress Software MOVEit Automation allows Retrieve Embedded Sensitive Data.

This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.
Published: 2026-05-20
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Progress Software MOVEit Automation contains a flaw where default permissions are set too broadly, enabling an attacker to retrieve embedded sensitive data. The vulnerability is rooted in improper access controls, specifically the way the system assigns rights to newly created resources, which allows users beyond intended scopes to read confidential information. This can lead to significant confidentiality breaches, as non‑authorised parties may access content that should be protected.

Affected Systems

Clients running MOVEit Automation versions earlier than 2025.0.11 or any 2025.1.x release before 2025.1.7 are affected. Versions 2025.0.11 and newer, as well as 2025.1.7 and newer, contain the fix.

Risk and Exploitability

The CVSS score of 6.5 classifies the flaw as moderately severe. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog, indicating no confirmed widespread exploitation to date. While the CVE text does not explicitly state exploit requirements, it suggests that default permission settings could allow non‑authorised users to read data. Based on the description, it is inferred that the vulnerability could be leveraged by any actor who gains non‑elevated access after a successful authentication, but the CVE does not confirm exploitation without special privileges. The risk remains high due to the potential for data exposure.

Generated by OpenCVE AI on May 20, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MOVEit Automation to version 2025.0.11 or newer, or to version 2025.1.7 or newer, to apply the vendor fix for default permissions.
  • Review and override default permission settings on all deployment units to enforce the principle of least privilege.
  • If an upgrade is not immediately feasible, disable or remove features that expose embedded sensitive data, or manually adjust permission templates to restrict read access to authorized users only.

Generated by OpenCVE AI on May 20, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Incorrect default permissions vulnerability in Progress Software MOVEit Automation allows Retrieve Embedded Sensitive Data. This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.
Title Incorrect default permissions vulnerability in Progress Software MOVEit Automation
Weaknesses CWE-276
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published:

Updated: 2026-05-20T15:30:11.664Z

Reserved: 2026-05-13T14:50:41.621Z

Link: CVE-2026-8487

cve-icon Vulnrichment

Updated: 2026-05-20T15:30:08.967Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T16:16:27.463

Modified: 2026-05-20T17:32:35.827

Link: CVE-2026-8487

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T17:00:14Z

Weaknesses