CVE-2026-8801 in MOVEit Transfer
Summary
by MITRE • 07/08/2026
Path equivalence: vulnerability in Progress MOVEit Transfer (File Upload modules).
This issue affects MOVEit Transfer: before 2025.0.8, from 2025.1.0 before 2025.1.4.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/08/2026
Progress MOVEit Transfer contains a path equivalence vulnerability that allows authenticated attackers to bypass file upload restrictions through carefully crafted filenames. This weakness stems from insufficient validation of file paths during the upload process, enabling malicious users to manipulate directory traversal sequences that resolve to unintended locations within the application's file system hierarchy. The vulnerability specifically impacts the file upload modules where the system fails to properly canonicalize or normalize file paths before processing uploaded content.
The technical flaw resides in how MOVEit Transfer handles relative path references and symbolic links during file operations, creating opportunities for attackers to exploit directory traversal mechanisms. When users upload files through the web interface or API endpoints, the application processes filenames without adequately sanitizing or validating path components that could contain sequences like double dots or forward slashes. This path equivalence issue allows adversaries to specify paths that resolve to locations outside of intended upload directories, potentially enabling them to overwrite critical system files or place malicious content in sensitive areas.
This vulnerability has significant operational impact as it can be exploited by authenticated users with valid credentials to perform unauthorized file operations within the MOVEit Transfer environment. Attackers could leverage this weakness to deploy malware, modify configuration files, or gain persistence within the application's infrastructure. The affected versions span from pre-2025.0.8 through 2025.1.3, indicating a prolonged period where organizations using these releases remained vulnerable to path traversal attacks that could compromise system integrity and data confidentiality.
Organizations should implement immediate mitigations including updating to the patched versions 2025.0.8 and 2025.1.4 respectively, as these releases contain proper input validation and path canonicalization routines. Additional defensive measures include implementing strict file upload restrictions that validate filename components against known safe patterns, deploying web application firewalls with path traversal detection capabilities, and ensuring proper access controls are enforced through principle of least privilege configurations. The vulnerability aligns with CWE-23 Path Traversal and maps to ATT&CK technique T1059 Command and Scripting Interpreter for persistence and privilege escalation activities that could follow such a path manipulation attack.
Security teams should conduct comprehensive audits of file upload functionality across all MOVEit Transfer installations and review system logs for suspicious patterns related to unusual directory access or file creation operations. Regular security testing including penetration testing with path traversal scenarios should be performed to validate the effectiveness of implemented controls. The remediation process requires not only software updates but also configuration reviews to ensure that file upload directories are properly isolated and that appropriate access controls prevent unauthorized file system modifications. Organizations should also consider implementing automated monitoring for unusual file upload patterns that could indicate exploitation attempts against this path equivalence vulnerability.