Introduction
A critical authentication bypass in Progress Software MOVEit Automation allows unauthenticated remote attackers to gain access through the service backend command port interfaces, carrying a CVSS 3.1 base score of 9.8. Given the MOVEit product line's history as a target for mass exploitation, including the 2023 breach that affected over 2000 organizations and 60 million individuals, this vulnerability demands immediate attention from any organization running affected versions.
MOVEit Automation is a managed file transfer automation platform used by IT teams worldwide to schedule, manage, and monitor file transfers across internal systems, external partners, and cloud environments. It supports compliance with regulations such as HIPAA, GDPR, and PCI DSS, and is widely deployed in enterprise environments handling sensitive data. Its role as a file transfer orchestration layer makes it a particularly attractive target for threat actors seeking access to business critical data flows.
Technical Information
CVE-2026-4670 is classified under CWE-305 (Authentication Bypass by Primary Weakness). The vulnerability exists within the service backend command port interfaces of MOVEit Automation. The full CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Breaking that down: the flaw is reachable over the network, requires low attack complexity, demands no privileges and no user interaction, and achieves high impact across confidentiality, integrity, and availability.
The vulnerability was discovered by researchers at Airbus SecLab and disclosed alongside a companion vulnerability, CVE-2026-5174, which is an improper input validation flaw enabling privilege escalation. These two vulnerabilities form a particularly dangerous chain. An attacker could first exploit CVE-2026-4670 to bypass authentication entirely on the backend command port, then leverage CVE-2026-5174 to escalate privileges and achieve full administrative control over the MOVEit Automation environment.
The backend command port interfaces are the core attack surface here. Because the CVSS vector specifies no required privileges (PR:N) and no user interaction (UI:N), exploitation can be performed by a completely unauthenticated remote attacker. The low attack complexity (AC:L) further indicates that no special conditions or race conditions are needed; the authentication mechanism can be bypassed in a straightforward manner.
Successful exploitation grants an attacker unauthorized access to the automation platform. From there, the attacker could manipulate scheduled file transfers, exfiltrate data in transit, modify transfer configurations, or pivot to connected systems and partners. When combined with the privilege escalation from CVE-2026-5174, the attacker would have the same level of control as a legitimate administrator.
Affected Systems and Versions
The following version branches of MOVEit Automation are affected:
| Affected Versions | Fixed Version |
|---|---|
| MOVEit Automation 2025.1.4 and earlier (2025.1.x branch) | MOVEit Automation 2025.1.5 |
| MOVEit Automation 2025.0.8 and earlier (2025.0.x branch) | MOVEit Automation 2025.0.9 |
| MOVEit Automation 2024.1.7 and earlier (2024.1.x branch) | MOVEit Automation 2024.1.8 |
| Versions prior to 2024.0.0 | Must upgrade to a supported fixed version |
Organizations running any version of MOVEit Automation prior to the fixed releases listed above should treat their deployments as vulnerable. The only remediation method confirmed by Progress Software is applying the full installer for a patched release. There is no workaround, hotfix, or configuration change that mitigates this vulnerability.
To verify the currently installed version, administrators should open the MOVEit Automation Web Admin, navigate to the Help menu, select About, and review the version information displayed. Customers on a current maintenance agreement can obtain the upgrade through the Progress Community portal.
While planning the upgrade, security teams should monitor audit logs for indicators of compromise, including unexpected privilege escalation events, unauthorized access attempts, or anomalous activity patterns that could suggest exploitation of the backend command port interfaces.
Vendor Security History
Progress Software has faced notable security challenges with the MOVEit product line. The most significant incident involved CVE-2023-34362, a vulnerability in MOVEit Transfer (a related product in the same family) that was massively exploited in 2023. That campaign impacted over 2000 organizations and approximately 60 million individuals, making it one of the largest data breaches of that year. The Cl0p ransomware group was attributed as the primary threat actor behind that exploitation campaign.
The recurrence of critical vulnerabilities in the MOVEit ecosystem underscores the importance of maintaining current patch levels and monitoring for new advisories. Progress Software maintains a Progress Alert and Notification Service for distributing critical security updates to customers.
References
- MOVEit Automation Critical Security Alert Bulletin, April 2026 (CVE-2026-4670, CVE-2026-5174)
- NVD Entry for CVE-2026-4670
- CVE Record: CVE-2026-4670
- MOVEit Automation Product Page
- CISA Known Exploited Vulnerabilities Catalog
- MOVEit Breach: Timeline of the Largest Hack of 2023 (Hadrian)
- CWE-305: Authentication Bypass by Primary Weakness
