Critical MOVEit Automation vulnerabilities allow authentication bypass and privilege escalation

Progress Software has patched two serious MOVEit Automation vulnerabilities that can let attackers bypass authentication, escalate privileges, and potentially gain administrative control of affected systems.

The flaws are tracked as CVE-2026-4670 and CVE-2026-5174. The first is a critical authentication bypass issue with a CVSS score of 9.8, while the second is a high-severity privilege escalation flaw with a CVSS score of 7.7.

MOVEit Automation customers should upgrade to a fixed version immediately. The platform helps organizations automate secure file movement, so a compromise could expose sensitive workflows, stored credentials, business files, and connected systems.

What Progress fixed

Progress says the vulnerabilities affect the service backend command port interfaces in MOVEit Automation. Successful exploitation may lead to unauthorized access, administrative control, and data exposure.

The company credited Airbus SecLab researchers Anaïs Gantet, Delphine Gourdou, Quentin Liddell, and Matteo Ricordeau with reporting the vulnerabilities.

The issue affects several supported MOVEit Automation branches. Older unsupported versions also remain at risk and should move to a supported release path.

At a glance

CVE	Issue	Severity	Attack requirement	Main risk
CVE-2026-4670	Authentication bypass by primary weakness	Critical, CVSS 9.8	No privileges required	Unauthorized access
CVE-2026-5174	Improper input validation	High, CVSS 7.7	Low privileges required	Privilege escalation

Why these MOVEit Automation flaws matter

CVE-2026-4670 creates the highest risk because it can allow authentication bypass. An attacker does not need a valid account to exploit this flaw, according to the CVSS vector assigned by Progress.

CVE-2026-5174 requires low privileges, but it can raise the attacker’s level of access. When chained with the authentication bypass flaw, the two issues may create a path toward administrative control.

MOVEit Automation often handles scheduled transfers between internal systems, cloud services, partners, and other business platforms. That makes it a valuable target for attackers seeking data, credentials, and access to connected environments.

Affected MOVEit Automation versions

The affected versions include MOVEit Automation 2025.1.4 and earlier, 2025.0.8 and earlier, and 2024.1.7 and earlier.

NVD also lists affected ranges that include versions from 2025.1.0 before 2025.1.5, from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, and versions prior to 2024.0.0 for CVE-2026-5174.

Administrators can check the installed version from the Web Admin interface by opening Help and then About. Progress recommends using the full installer to move to a fixed release.

Patched versions

Installed branch	Vulnerable versions	Fixed version
MOVEit Automation 2025.1	2025.1.4 and earlier	2025.1.5 or later
MOVEit Automation 2025.0	2025.0.8 and earlier	2025.0.9 or later
MOVEit Automation 2024.1	2024.1.7 and earlier	2024.1.8 or later
Older versions	Unsupported or prior release lines	Upgrade to a supported fixed release

How administrators should respond

Progress says upgrading to a patched release with the full installer is the only way to remediate the issue. The company also warns that the upgrade will cause a system outage while the installer runs.

Security teams should not treat this as a normal maintenance update. MOVEit products remain attractive targets because managed file transfer systems often sit near sensitive business data.

There is no public indication in the main vendor and security advisories that these two vulnerabilities have been exploited in the wild. Still, the risk level remains high because the authentication bypass flaw is remotely exploitable and does not require credentials.

Recommended steps

• Confirm the installed MOVEit Automation version from the Web Admin dashboard.
• Upgrade to MOVEit Automation 2025.1.5, 2025.0.9, or 2024.1.8.
• Use the full installer, not a partial workaround.
• Plan for a short outage during the upgrade process.
• Review audit logs for unexpected privilege escalation.
• Check for unauthorized access or unusual backend activity.
• Review stored credentials and rotate them if suspicious activity appears.
• Move unsupported installations to a supported release line.

What security teams should monitor

Progress says unexpected privilege escalation, unauthorized access, or anomalous activity in audit logs may indicate possible exploitation of CVE-2026-4670.

Teams should also review administrative accounts, scheduled tasks, transfer workflows, credential stores, and new or modified automation jobs. Suspicious changes in these areas may point to abuse of the platform.

Organizations should also check whether MOVEit Automation can reach sensitive internal systems. If it can, incident response teams should widen their review beyond the application itself.

Why older MOVEit incidents raise concern

MOVEit Transfer was heavily targeted in 2023 after a separate zero-day vulnerability exposed many organizations to data theft. The newly patched issues affect MOVEit Automation, not the same MOVEit Transfer flaw from 2023.

Even so, that history explains why administrators now treat MOVEit security updates with urgency. Attackers have repeatedly shown interest in managed file transfer products because they can provide access to valuable business data.

The safest response is simple: patch first, then investigate. Any internet-exposed or business-critical MOVEit Automation server should move to the fixed version as soon as possible.

FAQ