Cyber Posture

CVE-2026-8488

Medium
Microsoft: not affectedMSmacOS: not affectedMacLinux: not affectedLnxMobile: not affectedMobNetwork: not affectedNetApplication: affectedAppOther: not affectedOth

Published: 20 May 2026

Published
20 May 2026
Modified
21 May 2026
KEV Added
Patch
CVSS Score 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0004 11.5th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-8488 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Progress Moveit Automation. Its CVSS base score is 4.3 (Medium).

Operationally, ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-10 Concurrent Session Control
addresses: CWE-770

This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.

CP-4 Contingency Plan Testing
addresses: CWE-770

Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.

CP-5 Contingency Plan Update
addresses: CWE-770

Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.

CP-7 Alternate Processing Site
addresses: CWE-770

Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.

CP-8 Telecommunications Services
addresses: CWE-770

Alternate services allow operations to continue when primary allocation of resources lacks limits or throttling.

PL-6 Security-related Activity Planning
addresses: CWE-770

Explicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.

PM-6 Measures of Performance
addresses: CWE-770

Measures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.

SC-10 Network Disconnect
addresses: CWE-770

Imposes an inactivity-based limit on network resource allocation, throttling the number of concurrently held connections.

NVD Description

Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation allows Excessive Allocation. This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-770

Affected Products

progress
moveit automation
≤ 2025.0.11 · 2025.1.0 — 2025.1.7

EU & UK References

References