Progress Patches Critical Authentication Bypass in MOVEit Automation
Progress Software has released critical patches for MOVEit Automation to fix an authentication bypass vulnerability and a privilege escalation flaw that could allow remote attackers to gain administrative control over the system.

Progress Software has issued critical security updates for its MOVEit Automation platform to address two significant vulnerabilities: an authentication bypass flaw (CVE-2026-4670) and a privilege escalation issue (CVE-2026-5174) The Hacker News. MOVEit Automation is a widely used managed file transfer (MFT) solution that orchestrates complex data workflows across enterprise environments BleepingComputer.
The most severe of the two, CVE-2026-4670, carries a CVSS score of 9.8 and allows unauthenticated remote attackers to bypass authentication mechanisms via the service backend command port interface The Hacker News Help Net Security. A second vulnerability, CVE-2026-5174, is rated as high-severity (CVSS 7.7) and stems from improper input validation, which can allow an already authenticated attacker to escalate their privileges The Hacker News Help Net Security. When combined, these flaws could grant an attacker full administrative control over a MOVEit Automation instance, leading to unauthorized data access, exposure of stored credentials, and potential entry into the wider corporate network Help Net Security.
The vulnerabilities affect several versions of the software: MOVEit Automation 2025.1.4 and earlier, 2025.0.8 and earlier, and 2024.1.7 and earlier The Hacker News Help Net Security. Progress Software has released patches in versions 2025.1.5, 2025.0.9, and 2024.1.8, respectively Help Net Security BleepingComputer. The vendor emphasizes that applying these updates via the full installer is the only way to remediate the risks, noting that the upgrade process will result in a temporary system outage Help Net Security BleepingComputer.
While Progress Software has not observed active exploitation of these vulnerabilities in the wild, the potential impact is significant given the exposure of the platform The Hacker News BleepingComputer. Cybersecurity consultant Daniel Card reported that Shodan scans reveal over 1,400 MOVEit Automation instances exposed online, including more than a dozen systems associated with U.S. state and local government agencies BleepingComputer. Airbus SecLab researchers Anaïs Gantet, Delphine Gourdou, Quentin Liddell, and Matteo Ricordeau are credited with the discovery and private reporting of these flaws The Hacker News.
The security community remains particularly sensitive to vulnerabilities in MOVEit products following the 2023 campaign by the Cl0p ransomware gang, which exploited a separate zero-day in MOVEit Transfer to compromise over 2,100 organizations BleepingComputer Help Net Security. Because MFT solutions centralize sensitive data and credentials, they are frequent targets for threat actors seeking to facilitate large-scale data theft BleepingComputer. Organizations using MOVEit Automation are urged to monitor audit logs for anomalous activity or signs of unauthorized access, which may indicate exploitation attempts Help Net Security.