MOVEit Automation Hit with Critical Auth Bypass (CVSS 9.8) and Privilege Escalation — Patch Immediately

Summary

Progress Software has issued a critical security alert for two vulnerabilities in MOVEit Automation: CVE-2026-4670, a critical authentication bypass (CVSS 9.8), and CVE-2026-5174, a high-severity privilege escalation flaw. Chained together, these vulnerabilities could allow a remote, unauthenticated attacker to bypass authentication and gain full administrative control over the system.

CVE-2026-4670 allows attackers to bypass authentication mechanisms without any privileges or user interaction through low-complexity attacks. Once inside, CVE-2026-5174 — an improper input validation flaw — enables escalation to full administrative privileges. Affected versions include MOVEit Automation 2025.1.4 and earlier, 2025.0.8 and earlier, and 2024.1.7 and earlier.

The vulnerabilities were privately reported by Airbus Security Lab researchers. While there is no confirmed active exploitation yet, a Shodan scan reveals over 1,400 MOVEit Automation instances exposed to the internet, including some belonging to U.S. government agencies. Progress strongly advises upgrading to patched versions using a full installer.

Sources

• The Hacker News — Progress Patches Critical MOVEit Vulnerability
• BleepingComputer — MOVEit Automation Critical Auth Bypass
• Progress Community — Security Alert Bulletin

Commentary

MOVEit just can’t catch a break. After the devastating Clop ransomware campaign that exploited MOVEit Transfer in 2023 — affecting over 2,600 organizations — another critical vulnerability in the MOVEit product family is guaranteed to get attention from threat actors. A CVSS 9.8 authentication bypass with a chainable privilege escalation is about as bad as it gets for a file transfer automation platform.

The saving grace is that these were responsibly disclosed by Airbus Security Lab, giving Progress time to release patches before exploitation. But with 1,400+ instances on Shodan and MOVEit’s history as a prime target, the clock is ticking. If you’re running MOVEit Automation, this is a drop-everything-and-patch situation. The Clop campaign taught us what happens when MOVEit vulnerabilities go unpatched — don’t be the organization that learns that lesson twice.