Progress Patches Critical Authentication Bypass in MOVEit Automation

TL;DR — Progress Software has released patches for two vulnerabilities in MOVEit Automation: a critical authentication bypass (CVE-2026-4670, CVSS 9.8) and a privilege escalation flaw (CVE-2026-5174, CVSS 7.7). Both vulnerabilities affect the backend command port interfaces and could lead to unauthorized administrative access and data exposure. Updates are available for versions 2025.1.5, 2025.0.9, and 2024.1.8.

What happened

Progress Software released security updates addressing two flaws in MOVEit Automation, a managed file transfer (MFT) platform used to schedule and automate file movement workflows in enterprise environments.

The first vulnerability, CVE-2026-4670, is rated critical with a CVSS score of 9.8. It is an authentication bypass vulnerability that operates through the service backend command port interfaces. The second, CVE-2026-5174, carries a CVSS score of 7.7 and is classified as an improper input validation issue that could permit privilege escalation, also accessible via the backend command port.

According to Progress Software's advisory, successful exploitation of these flaws could result in unauthorized access, administrative control, and data exposure.

The vulnerabilities were discovered and reported by Airbus SecLab researchers: Anaïs Gantet, Delphine Gourdou, Quentin Liddell, and Matteo Ricordeau.

Three maintenance branches are affected:

MOVEit Automation versions 2025.1.4 and earlier
MOVEit Automation versions 2025.0.8 and earlier
MOVEit Automation versions 2024.1.7 and earlier

Progress has not identified any workarounds for these issues, making patching the only remediation path. The source material does not specify whether either vulnerability is currently being exploited in production environments.

Why it matters

MOVEit Automation is deployed in enterprise environments to handle automated file transfer workflows, often processing sensitive data across organizational boundaries. An authentication bypass with a CVSS score of 9.8 represents a direct path to system compromise without valid credentials.

The combination of authentication bypass and privilege escalation through a backend interface creates a severe risk for defenders. An attacker exploiting CVE-2026-4670 could bypass authentication entirely; if CVE-2026-5174 is exploited on the same system, further elevation to administrative privileges becomes possible. This chain would grant an attacker full control over file transfer policies, scheduled jobs, and potentially the data those jobs process.

For SOC analysts and sysadmins, this matters immediately because MOVEit Automation often sits in critical data pipelines. Administrative compromise of such systems can lead to data exfiltration, lateral movement within connected networks, and operational disruption.

The threat is contextual: prior vulnerabilities in the related MOVEit Transfer product have been exploited by ransomware group Cl0p. While this advisory does not state that the current flaws are actively exploited, the history of MOVEit software in ransomware campaigns suggests prioritizing these patches.

Affected systems and CVEs

CVE-2026-4670 — Authentication bypass vulnerability (CVSS 9.8) affecting MOVEit Automation ≤ 2025.1.4, ≤ 2025.0.8, and ≤ 2024.1.7
CVE-2026-5174 — Improper input validation enabling privilege escalation (CVSS 7.7) affecting MOVEit Automation ≤ 2025.1.4, ≤ 2025.0.8, and ≤ 2024.1.7

What to do

Upgrade MOVEit Automation to version 2025.1.5 or later
Upgrade MOVEit Automation to version 2025.0.9 or later
Upgrade MOVEit Automation to version 2024.1.8 or later
No workarounds are available; patching is mandatory
Prioritize this patch given the critical CVSS rating and the backend command port accessibility

Open questions

The advisory does not specify whether these vulnerabilities are being actively exploited in the wild
No details are provided on specific attack vectors or proof-of-concept techniques
The exact date of patch release is not stated in the source material
It is unclear whether MOVEit Automation versions beyond those listed (older branches or newer versions) may be affected