MOVEit Automation Auth Bypass Hits CVSS 9.8 — Patch Now

Progress Software has released emergency patches for two serious vulnerabilities in MOVEit Automation, including a critical authentication bypass rated CVSS 9.8 that could let unauthenticated attackers seize administrative control of affected systems.

The flaws were discovered by Airbus SecLab researchers Anaïs Gantet, Delphine Gourdou, Quentin Liddell, and Matteo Ricordeau, who reported them responsibly to Progress. There's no indication either vulnerability has been exploited in the wild — yet.

Given MOVEit's history as a ransomware target, organizations running MOVEit Automation should treat this as an emergency patching situation.

What's at Stake

CVE-2026-4670 is an authentication bypass vulnerability in MOVEit Automation's service backend command port interface. An unauthenticated attacker can exploit it via low-complexity network attacks — no user interaction required, no special privileges needed.

A second vulnerability, CVE-2026-5174, scores CVSS 7.7 and stems from improper input validation in the same backend command port. Chained together, these flaws enable a complete compromise: bypass authentication, then escalate privileges to full administrative access.

"Critical and high vulnerabilities in MOVEit Automation may allow authentication bypass and privilege escalation through the service backend command port interfaces," Progress stated in its advisory.

Affected Versions

The vulnerabilities impact all MOVEit Automation releases prior to the May 2026 patches:

• MOVEit Automation 2025.1.4 (17.1.4) and earlier
• MOVEit Automation 2025.0.8 (17.0.8) and earlier
• MOVEit Automation 2024.1.7 (16.1.7) and earlier

Progress has released fixed versions: 2025.1.5, 2025.0.9, and 2024.1.8. There are no workarounds — upgrading via the full installer is the only remediation path.

Why This Matters

MOVEit products carry significant baggage. In 2023, the Cl0p ransomware gang exploited a zero-day in MOVEit Transfer to breach hundreds of organizations worldwide, including government agencies, financial institutions, and healthcare providers. The incident became one of the most damaging supply chain attacks in recent memory.

Progress has since faced intensified scrutiny over its file transfer products. Earlier this year, critical RCE vulnerabilities in Progress ShareFile demonstrated that the company's enterprise software continues to attract researcher attention — and attacker interest.

While CVE-2026-4670 affects MOVEit Automation rather than MOVEit Transfer, the underlying risk calculus is similar: these products often handle sensitive business data and connect to enterprise networks. An attacker gaining admin control could access stored credentials, exfiltrate data, or pivot deeper into the organization.

The Airbus team's responsible disclosure gives defenders a head start. But with 28% of CVEs now exploited within 24 hours of disclosure according to Mandiant's M-Trends 2026 data, that window is shrinking.

Immediate Actions

Organizations running MOVEit Automation should:

1. Patch immediately — Download and apply version 2025.1.5, 2025.0.9, or 2024.1.8 depending on your release branch
2. Audit command port exposure — The vulnerable backend command port should not be internet-accessible
3. Review automation task credentials — If compromise occurred, stored credentials used by automation tasks may be at risk
4. Monitor for exploitation attempts — Watch for unusual authentication patterns against MOVEit Automation interfaces

Frequently Asked Questions

Is CVE-2026-4670 being exploited in the wild?

Not according to current reporting. Airbus researchers discovered the vulnerabilities and disclosed them privately to Progress, which patched before public disclosure.

Does this affect MOVEit Transfer?

No. CVE-2026-4670 and CVE-2026-5174 specifically affect MOVEit Automation, the workflow automation component. MOVEit Transfer is a separate product, though organizations often run both together.

Should I block the command port as a temporary measure?

If you cannot patch immediately, restricting network access to the backend command port interface can reduce exposure. However, this may impact legitimate automation workflows. Patching remains the only complete remediation.