"Critical and high vulnerabilities in MOVEit Automation may allow authentication bypass and privilege escalation through the service backend command port interfaces," Progress Software said in an advisory.
CVE-2026-4670 and CVE-2026-5174: the technical short story
Progress Software has disclosed two vulnerabilities in MOVEit Automation: CVE-2026-4670, an authentication bypass rated CVSS 9.8, and CVE-2026-5174, an improper input validation flaw rated CVSS 7.7. According to Progress, exploitation of those flaws via the product's "service backend command port interfaces" may result in unauthorized access, administrative control, and data exposure.
MOVEit Automation — formerly called Central — is described by the vendor as a secure, server-based managed file transfer (MFT) solution used to schedule and automate file movement workflows in enterprise environments without requiring any custom scripts. The two vulnerabilities target core aspects of that service and therefore strike at how the product authenticates and validates commands.
Patches released and the precise versions affected
Progress published fixes and enumerated the affected builds. The vulnerabilities affect the following MOVEit Automation releases and are resolved in the successor patches listed:
- MOVEit Automation versions up to and including 2025.1.4 — fixed in MOVEit Automation 2025.1.5
- MOVEit Automation versions up to and including 2025.0.8 — fixed in MOVEit Automation 2025.0.9
- MOVEit Automation versions up to and including 2024.1.7 — fixed in MOVEit Automation 2024.1.8
Progress also stated there are no workarounds that resolve the issues, which places the onus on administrators to install the supplied updates to eliminate the vulnerabilities.
Discovery and reporting: Airbus SecLab credited
Progress credited researchers from Airbus SecLab for discovering and reporting the two flaws. The researchers named are Anaïs Gantet, Delphine Gourdou, Quentin Liddell, and Matteo Ricordeau. Progress's advisory acknowledges their contribution in responsible disclosure of the issues.
What this means for technologists, affected enterprises, and adversaries
- Technologists and security teams: With no available workaround, teams running MOVEit Automation on affected versions must prioritize installing the fixed versions (2025.1.5, 2025.0.9, or 2024.1.8) to close an authentication-bypass path that Progress warns could lead to administrative takeover and data exposure.
- Affected enterprises and procurement leaders: Organizations using MOVEit Automation should inventory their deployments against the specific builds listed by Progress and accelerate patching. The product's role in automating file movement workflows raises the potential operational impact if administrative access were obtained.
- Adversaries and threat actors: Although Progress "makes no mention of the flaws being exploited in the wild," the combination of an authentication bypass and a privilege-escalation vector creates an attractive target where successful exploitation could yield persistent, high-level access.
Operational context: no reported exploitation, but prior history raises stakes
Progress did not report any detected in-the-wild exploitation tied to these two MOVEit Automation flaws. Nonetheless, the vendor emphasized urgency: "Exploitation may lead to unauthorized access, administrative control, and data exposure," and outside commentary in the advisory noted the importance of applying fixes promptly. The advisory also invoked prior incidents as context: earlier flaws in MOVEit Transfer have been exploited by ransomware gangs like Cl0p, a fact that underscores why organizations should not delay remediation even when active exploitation has not been confirmed.
Because Progress says there are no workarounds, the only complete mitigation documented in the advisory is to upgrade to the fixed releases noted above.
Progress Software's advisory and the patch releases leave a narrow, concrete path for affected customers: verify your MOVEit Automation build, update to the fixed release applicable to your branch, and treat the authentication-bypass and input-validation fixes as high-priority. The combination of a CVSS 9.8 authentication bypass and a CVSS 7.7 privilege-escalation bug, lack of workarounds, and the product's role in automating file transfers makes that work a pragmatic urgency rather than a discretionary change.
