Critical Authentication Bypass Vulnerability in MOVEit Automation (CVE-2026-4670)

Progress MOVEit Automation is affected by a critical authentication bypass vulnerability, CVE-2026-4670, which has a CVSS score of 9.8. Successful exploitation allows an unauthenticated remote attacker to gain administrative access to the vulnerable service. Additionally, a high severity privilege escalation vulnerability, CVE-2026-5174, exists due to improper input validation. While there is no current evidence of active exploitation in the wild, the historical targeting of Managed File Transfer (MFT) solutions, such as the 2023 Cl0p ransomware campaigns targeting MOVEit Transfer, heightens the urgency of patching this vulnerability. The affected versions of MOVEit Automation include versions prior to 2024.0.0, versions 2024.0.0 before 2024.1.8, versions 2025.0.0 before 2025.0.9, and versions 2025.1.0 before 2025.1.5. Defenders should prioritize patching to prevent potential exploitation.

Attack Chain

1. An unauthenticated attacker sends a specially crafted request to the MOVEit Automation server, exploiting CVE-2026-4670 (authentication bypass).
2. The vulnerable MOVEit Automation software fails to properly validate the attacker’s identity, granting them unauthorized access.
3. The attacker gains access to the MOVEit Automation application with administrative privileges.
4. The attacker leverages CVE-2026-5174 (improper input validation) to further escalate privileges within the application.
5. The attacker manipulates sensitive file transfer workflows, potentially modifying file permissions or altering transfer schedules.
6. The attacker exfiltrates sensitive data stored within MOVEit Automation.
7. Alternatively, the attacker could deploy malicious scripts or backdoors to maintain persistence and control over the system.
8. The attacker achieves complete control over the MOVEit Automation server, potentially impacting connected systems and data integrity.

Impact

Successful exploitation of CVE-2026-4670 allows an unauthenticated attacker to gain administrative access to Progress MOVEit Automation servers. This can lead to the compromise of sensitive data, disruption of file transfer workflows, and potential deployment of ransomware or other malicious payloads. Given the history of MOVEit products being targeted, a successful attack could have widespread impact across various sectors that rely on MOVEit for secure file transfer, potentially affecting thousands of organizations.

Recommendation

• Immediately patch all affected MOVEit Automation installations to versions 2025.1.5 or later, 2025.0.9 or later, or 2024.1.8 or later as recommended by Progress Software to remediate CVE-2026-4670 and CVE-2026-5174.
• Upscale monitoring and detection capabilities to identify any suspicious activity related to MOVEit Automation, as recommended by the CCB.
• Implement the provided Sigma rule “Detect MOVEit Automation Authentication Bypass Attempt” to identify potential exploitation attempts targeting CVE-2026-4670 based on web server logs.