Progress Software has shipped emergency fixes for two critical flaws in MOVEit Automation, the workflow engine bolted on top of the company’s MOVEit Transfer file-transfer servers. The headline bug is CVE-2026-4670, an authentication-bypass-by-primary-weakness flaw rated CVSS 9.8 that lets an unauthenticated attacker on the network reach administrative control of the service. A companion bug, CVE-2026-5174, is an improper-input-validation flaw scoring 7.7 that allows privilege escalation once a foothold exists. Both were reported privately by researchers at Airbus and disclosed in Progress’s April 2026 critical security alert bulletin.
There is no public evidence of in-the-wild exploitation as of this writing. That distinction matters less than usual here: MOVEit is the same product family that Cl0p shredded in mid-2023 via CVE-2023-34362, an SQL injection that drove one of the largest mass-exploitation campaigns on record. Defenders watching this CVE assume the patch window closes the moment a working PoC drops.
What’s broken
CVE-2026-4670 sits in the service backend command port interface that MOVEit Automation exposes for inter-component coordination. The flaw is classified under CWE-305 (“Authentication Bypass by Primary Weakness”), a polite way of saying the auth gate exists but can be sidestepped without finding a valid credential, token, or session. The CVSS vector is AV:N/AC:L/AT:N/PR:N/UI:N, i.e., remotely reachable, low complexity, no privileges, no user interaction. A successful attacker gains administrative access to the service, which in MOVEit’s world means: read and modify automation tasks, inject arbitrary file-transfer jobs, exfiltrate or tamper with files in flight, and pivot to the secrets the automation engine holds for connected systems (S3, SFTP endpoints, Azure blob, on-prem shares, Salesforce, etc.).
CVE-2026-5174 is the follow-on. Once code is talking to the service backend, malformed input can be used to escalate privileges further inside the automation runtime. The two chain neatly: bypass auth on the command port, escalate, own the host’s automation context.
Affected versions
The advisory covers all currently supported MOVEit Automation release trains:
- 2025.1.4 (17.1.4) and earlier
- 2025.0.8 (17.0.8) and earlier
- 2024.1.7 (16.1.7) and earlier
End-of-life branches (anything older than 2024.1) inherit the same defect with no fix coming. If you are still running them, you have a bigger problem than this CVE.
Patches
Progress has released:
- 2025.1.5
- 2025.0.9
- 2024.1.8
Hot-patching is not offered. The advisory makes a point of saying that the full installer is the only supported remediation path — operators cannot drop in a patched DLL, restart the service, and call it done. That raises the friction for a managed-file-transfer product whose customers are typically banks, insurers, and federal contractors with change-control boards measured in weeks, not hours. Plan accordingly.
Mitigation while you schedule the install
If you cannot apply the upgrade immediately, the operative containment is network isolation of the service backend command port. MOVEit Automation’s command port is not the user-facing web UI; it is an internal control channel that should never have been exposed to untrusted networks in the first place. Audit your firewall and host-firewall rules and verify the port is reachable only from the management plane and the MOVEit Automation peers it actually needs to talk to. Any reachability from the internet, from a flat corporate VLAN, or from contractor-accessible subnets is the bug’s blast radius.
Beyond that:
- Pull recent logs for unexpected connections to the command port and any task creation, modification, or credential-store reads that did not originate from a known operator.
- Rotate MOVEit Automation’s stored credentials for every connected system after patching — assume the credential store is compromised if the host was reachable.
- If you front MOVEit Automation with a WAF, the WAF is irrelevant here; this is not a web request, it’s a backend protocol abuse.
Why this one will move fast
Three factors compress the window between disclosure and exploitation. First, MFT systems sit at the boundary of regulated data flows; they are high-value targets because everyone interesting connects to them. Second, the Cl0p MOVEit Transfer campaign in 2023 created persistent attacker tooling and reconnaissance datasets for this product family — anybody indexing MFT exposure has a head start. Third, “auth bypass on a backend command channel” is exactly the bug class that yields a clean, deterministic exploit once one researcher publishes; expect Metasploit and Nuclei templates within days of a public PoC.
If you operate MOVEit Automation, treat this as a same-day patch.
References
- Progress MOVEit Automation Critical Security Alert Bulletin — April 2026 (CVE-2026-4670, CVE-2026-5174)
- NVD entry for CVE-2026-4670
- Help Net Security: Critical MOVEit Automation auth bypass vulnerability fixed
- BleepingComputer: Progress warns of critical MOVEit Automation auth bypass flaw
- The Hacker News: Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass
- CCB Belgium advisory