Progress MOVEit Automation Critical Authentication Bypass and Privilege Escalation Vulnerabilities - CVE-2026-4670 and CVE-2026-5174
Progress Software released an out-of-band security bulletin on April 30, 2026 disclosing two vulnerabilities in MOVEit Automation, the workflow scheduler that drives unattended managed file transfers across the MOVEit Transfer and MOVEit Cloud platform. CVE-2026-4670, with a CVSS score of 9.8, is a remote authentication bypass exposed through the product's service backend command port interfaces; CVE-2026-5174, with a CVSS score of 8.8, is an improper input validation flaw that elevates a low-privilege session to administrative rights. Chained together, the two issues allow a network-adjacent attacker with no credentials to take full administrative control of a MOVEit Automation instance, including every secret stored in its task definitions.
Technically, CVE-2026-4670 maps to CWE-305 (Authentication Bypass by Primary Weakness) and is reachable over the network with no privileges or user interaction, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. CVE-2026-5174 maps to CWE-20 (Improper Input Validation) and ordinarily requires an authenticated foothold, but Progress and independent analysts assess that the authentication bypass furnishes that foothold for free, collapsing the chain into an unauthenticated administrative compromise. Affected releases include MOVEit Automation 2025.1.0 through 2025.1.4, 2025.0.0 through 2025.0.8, 2024.0.0 through 2024.1.7, and every release prior to 2024.0.0; Progress has shipped patches in 2025.1.5, 2025.0.9, and 2024.1.8 and indicates that running the full installer is the only supported remediation.
The risk context is significant because MOVEit Automation customarily stores service-account credentials, SFTP keys, API tokens, and signing certificates for the upstream and downstream systems it moves files between, including ERP, EDI, payroll, healthcare claims, banking, and operational reporting endpoints. Independent scans surfaced more than fourteen hundred internet-exposed MOVEit Automation hosts at disclosure, including more than a dozen affiliated with United States state and local government bodies. While in-the-wild exploitation has not been publicly confirmed at the time of publication, the MOVEit product family was the subject of a mass-exploitation campaign in 2023 that affected thousands of organizations, and Progress has explicitly called for immediate patching.
Threats and Vulnerabilities
CVE-2026-4670, with a CVSS score of 9.8, is an authentication bypass weakness in the MOVEit Automation service backend command port that allows a remote, unauthenticated attacker to invoke privileged operations without supplying credentials. The defect bypasses the platform's primary authentication check, classified by NIST as CWE-305, and grants high confidentiality, integrity, and availability impact to whoever can reach the service port. Because MOVEit Automation typically runs on a Windows server with broad outbound and lateral connectivity, successful exploitation is the precursor that any subsequent attack chain depends upon. Progress disclosed the issue on April 30, 2026 and has not detailed the specific protocol parsing flaw, so defenders must assume any reachable command-port listener is attackable. Upgrading to 2025.1.5, 2025.0.9, or 2024.1.8 remediates the issue, and Progress has not published a temporary mitigation that substitutes for the patch.
CVE-2026-5174, with a CVSS score of 8.8, is an improper input validation flaw in MOVEit Automation that allows an authenticated user to escalate to administrative privileges. The vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H reflects a low-complexity, low-privilege precondition, but external analysis assesses that CVE-2026-4670 supplies the required session for free, producing an end-to-end unauthenticated administrative takeover when the two are chained. An attacker with administrative rights can read every stored credential and certificate, alter the schedule and destination of automated transfers, exfiltrate staged business data, and use the Automation host as a launching pad for lateral movement into corporate, financial, and operational networks. The same fixed releases that close CVE-2026-4670 close this issue, and partial workarounds are not available; the full installer must be used to apply the upgrade.
Client Impact
Operationally, MOVEit Automation deployments routinely orchestrate file movement between revenue-bearing applications such as ERP, banking, payroll, healthcare claims, and EDI partners, and, in industrial environments, between corporate IT and the operational reporting plane that pulls data out of historians, batch records, and SCADA reporting servers. Compromise of the orchestration server therefore puts at risk every credential it holds, every file it has staged or is about to stage, and the integrity of automated workflows that downstream business processes depend on. A successful attacker can also pivot from the Automation server, which is typically domain-joined and granted broad file-share access, into general enterprise lateral movement, which prolongs incident dwell time and broadens the impact footprint.
From a compliance and regulatory standpoint, MOVEit deployments commonly process data covered by HIPAA, PCI DSS, GLBA, SOX, and state breach-notification laws, and in operational settings they may also touch information governed by NERC CIP, IEC 62443, and TSA Security Directives. An administrative compromise of the platform satisfies the unauthorized-access criterion that triggers reporting obligations under most of these regimes, and the 2023 MOVEit Transfer mass-exploitation campaign established a precedent that regulators and class-action plaintiffs will look to when measuring the diligence of a customer's patching response. Documenting the patch window, the systems hardened, the credentials rotated, and the post-patch verification activities is therefore as important as the technical remediation itself.
Mitigations
Progress has indicated that upgrade with the full installer is the only supported remediation path; the steps below give 1898 & Co. clients an end-to-end response plan.
1. Inventory every MOVEit Automation instance, including production, disaster recovery, lab, and partner-hosted, by querying asset management tooling, endpoint detection and response, and software bill of materials data, and confirm the installed build via the product Help and About pane or the registry value HKLM\SOFTWARE\Progress\MOVEit Automation\Version.
2. Upgrade every affected instance to the corresponding patched release of 2025.1.5, 2025.0.9, or 2024.1.8 using the full installer, scheduling a maintenance window that allows for a service restart and a post-upgrade smoke test of representative scheduled tasks.
3. Constrain network exposure by ensuring the MOVEit Automation service backend command port is reachable only from administrative jump hosts and the local machine itself, removing any internet exposure that surfaced in pre-patch scanning, and confirming with an external port scan after firewall changes apply.
4. Rotate every secret stored within MOVEit Automation tasks, including service-account passwords, SFTP keys, API tokens, and signing certificates, on the assumption that a compromise prior to patching could have exfiltrated them, and review file-transfer destinations for unauthorized changes.
5. Enable or expand logging for MOVEit Automation operational events, Windows Security and Sysmon event collection on the host, and bidirectional NetFlow and PCAP for the surrounding subnet, then retain those records for at least ninety days to support forensic review if exploitation predated the patch.
Customers should treat this remediation as priority-one and complete it in line with their highest-severity service level agreement; partial mitigations such as network access control lists do not substitute for the upgrade itself.
1898 & Co. Response
1898 & Co. is actively monitoring Progress Software's bulletin, the National Vulnerability Database, and CISA's Known Exploited Vulnerabilities catalog for any change in the in-the-wild exploitation status of CVE-2026-4670 and CVE-2026-5174. Our managed services team has initiated a sweep of client environments under our care to identify MOVEit Automation deployments and is coordinating patch windows where vulnerable versions are confirmed. Where we operate detection content, we have queued CrowdStrike Falcon, Datadog, and security information and event management rules tuned to the post-exploitation indicators described in the accompanying threat hunt plan.
For clients with internet-exposed MOVEit Automation instances, 1898 & Co. recommends a same-day mitigation that combines the patch with a perimeter access control list restricting the service backend command port to administrative subnets only. We will support clients in conducting a credential rotation exercise once the upgrade lands, with priority given to credentials that authorize transfers into operational, financial, or regulated data stores. Our incident response retainer holders may engage 1898 & Co. directly for compromise assessment, log review, and forensic acquisition.
For operational technology adjacent deployments, meaning installations that exchange files with historians, energy management or SCADA reporting servers, or batch process records, 1898 & Co. will work with operations and engineering teams to ensure that any patch-window outage is staged outside critical production windows and that resumed workflows are verified end-to-end. The 1898 & Co. threat hunting team is publishing a companion threat hunt plan that operationalizes detection across CrowdStrike Falcon, Datadog, Wireshark and tcpdump, Windows Event Logs, and YARA against the MOVEit Automation host and the surrounding network.
Sources
4. MITRE CVE Record - CVE-2026-4670