Full Report
Progress Software warned customers to patch a critical authentication bypass vulnerability in its MOVEit Automation enterprise-grade managed file transfer (MFT) application. [...]
Analysis Summary
# Vulnerability: MOVEit Automation Critical Authentication Bypass
## CVE Details
- **CVE ID:** CVE-2026-4670 (and CVE-2026-5174)
- **CVSS Score:** 9.8 (Critical) *[Estimated based on description]*
- **CWE:** CWE-287 (Improper Authentication) / CWE-20 (Improper Input Validation for CVE-2026-5174)
## Affected Systems
- **Products:** Progress MOVEit Automation
- **Versions:**
- Versions prior to 2025.1.5
- Versions prior to 2025.0.9
- Versions prior to 2024.1.8
- **Configurations:** Systems exposed to the public internet are at highest risk (approx. 1,400 instances identified via Shodan).
## Vulnerability Description
CVE-2026-4670 is a critical authentication bypass vulnerability that allows a remote, unauthenticated attacker to gain access to the MOVEit Automation application. Because the application functions as a central orchestrator for sensitive file transfers across local servers and cloud storage, an authentication bypass can allow an attacker to intercept or manipulate automated data workflows.
Additionally, **CVE-2026-5174** is a high-severity privilege escalation flaw within the same software caused by improper input validation.
## Exploitation
- **Status:** Not currently observed in the wild; no public PoC confirmed in the article.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
- **User Interaction:** None Required
## Impact
- **Confidentiality:** Total (Unrestricted access to data workflows and file transfers)
- **Integrity:** Total (Ability to modify or disrupt automated file transfer tasks)
- **Availability:** High (Potential to delete files or disrupt business-critical automation)
## Remediation
### Patches
Progress Software recommends using the **full installer** to upgrade to the following patched versions:
- MOVEit Automation 2025.1.5
- MOVEit Automation 2025.0.9
- MOVEit Automation 2024.1.8
*Note: An outage is required while the upgrade is being performed.*
### Workarounds
No official workarounds have been provided. The vendor states that upgrading to a patched release is the **only** way to remediate the issue.
## Detection
- **Indicators of Compromise:** Monitor for unusual administrative logins or changes to automated tasks. Check for unauthorized connections to the MOVEit Automation management ports.
- **Detection methods:** Audit application logs for guest or unauthenticated access attempts to restricted endpoints. Use Shodan or internal scanners to identify exposed MOVEit instances (Favicon hash: `989289239`).
## References
- **Vendor Advisory:** hxxps[://]community[.]progress[.]com/s/article/MOVEit-Automation-Critical-Security-Alert-Bulletin-April-2026-CVE-2026-4670-CVE-2026-5174
- **NVD CVE-2026-4670:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-4670
- **NVD CVE-2026-5174:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-5174
- **BleepingComputer Article:** hxxps[://]www[.]bleepingcomputer[.]com/news/security/progress-warns-of-critical-moveit-automation-auth-bypass-flaw/