Progress Software Discloses Critical Authentication Bypass Vulnerability (CVE-2026-4670) in MOVEit Automation

Executive Summary

Progress Software has disclosed a new critical vulnerability in its MOVEit Automation software, tracked as CVE-2026-4670. The flaw is an authentication bypass that could allow a remote, unauthenticated attacker to gain unauthorized access to the system, potentially with administrative privileges. The vulnerability has been assigned a CVSS score of 9.8 (Critical). A second, less severe privilege escalation flaw, CVE-2026-5174, was also patched. Given the history of widespread, devastating attacks targeting the MOVEit ecosystem (notably the MOVEit Transfer campaign of 2023), any critical vulnerability in this product line is cause for immediate concern and action. Progress Software is strongly recommending that all customers apply the provided patches without delay.

Vulnerability Details

• CVE-2026-4670: This is the primary, critical vulnerability. It is an authentication bypass flaw. While specific technical details have not been publicly released to prevent further exploitation, an authentication bypass in a file transfer system typically allows an attacker to access the system's functions without providing valid credentials. This could lead to unauthorized access to sensitive files, modification of transfer tasks, or full administrative control of the MOVEit Automation server. The attack vector is likely via a specially crafted request to a web-facing component of the software, making it an instance of T1190 - Exploit Public-Facing Application.

• CVE-2026-5174: This is a secondary vulnerability involving improper input validation, which could lead to privilege escalation. An attacker who already has low-level access to the system could potentially exploit this to gain higher privileges.

Affected Systems

The vulnerabilities affect multiple versions of MOVEit Automation. Customers should check their specific version against the following list:

• All versions prior to 2024.0.0
• Versions 2024.0.0 up to 2024.1.8
• Versions 2025.0.0 up to 2025.0.9

Progress Software has released patched versions (2024.1.8, 2025.0.9, and a new version for older editions) to address these vulnerabilities.

Exploitation Status

As of the disclosure, Progress Software has not stated that these vulnerabilities are being actively exploited in the wild. However, the history of the MOVEit brand makes it an extremely high-profile target for threat actors. Security researchers and attackers will be actively reverse-engineering the patch to develop a working exploit. The time to exploitation is likely to be very short.

Impact Assessment

The potential impact of CVE-2026-4670 is severe. MOVEit Automation is used by thousands of organizations worldwide to automate the transfer of critical and sensitive files, including financial data, PII, and intellectual property. An attacker who successfully exploits this vulnerability could:

• Steal, modify, or delete sensitive data in transit or at rest.
• Disrupt critical business processes that rely on automated file transfers.
• Gain a foothold within the network to launch further attacks.
• Achieve full administrative control over the MOVE-it server.

The mass exploitation of the MOVEit Transfer vulnerability in 2023 by the Clop ransomware group affected over 2,700 organizations and 95 million individuals, demonstrating the catastrophic potential of a flaw in this ecosystem.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

• Vulnerable Versions: Use asset inventory systems to identify all instances of MOVEit Automation running a vulnerable version.
• Web Logs: Monitor web server logs for the MOVEit Automation instance for any unusual or malformed requests, especially to authentication endpoints. Look for requests that result in a successful login without the expected preceding steps.
• Application Logs: Review MOVEit Automation application logs for unauthorized access, unexpected changes to transfer tasks, or new administrative accounts.

Detection Methods

• Vulnerability Scanning: Run authenticated and unauthenticated vulnerability scans against MOVEit Automation servers to identify the presence of the flaw.
• Network Monitoring: Monitor network traffic to and from the MOVEit Automation server for connections to suspicious IP addresses, which could indicate C2 communication from an implant.
• File Integrity Monitoring (FIM): Monitor critical MOVEit Automation system files and directories for unauthorized changes.

Remediation Steps

1. Patch Immediately: This is the most critical step. All customers must upgrade to a patched version of MOVEit Automation as soon as possible. Progress has stated that the full installer must be used; simply applying a patch file is not sufficient.
2. Plan for Downtime: The upgrade process will require a system outage. Organizations must plan for this downtime to apply the patch.
3. Restrict Access: As a compensating control and a matter of best practice, restrict network access to the MOVEit Automation server. Ensure that only trusted systems and users can connect to its management interfaces. This aligns with MITRE Mitigation M1035 - Limit Access to Resource Over Network.
4. Review Logs: After patching, review system and application logs for any signs of compromise that may have occurred before the patch was applied.