{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/moveit-automation--2025.1.4/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-4670"},{"cvss":7.7,"id":"CVE-2026-5174"}],"_cs_exploited":true,"_cs_products":["MOVEit Automation","MOVEit Automation \u003c= 2025.1.4","MOVEit Automation \u003c= 2025.0.8","MOVEit Automation \u003c= 2024.1.7"],"_cs_severities":["critical"],"_cs_tags":["authentication-bypass","privilege-escalation","cve-2026-4670","cve-2026-5174","webserver"],"_cs_type":"threat","_cs_vendors":["Progress Software"],"content_html":"\u003cp\u003eProgress MOVEit Automation is affected by a critical authentication bypass vulnerability, CVE-2026-4670, which has a CVSS score of 9.8. Successful exploitation allows an unauthenticated remote attacker to gain administrative access to the vulnerable service. Additionally, a high severity privilege escalation vulnerability, CVE-2026-5174, exists due to improper input validation. While there is no current evidence of active exploitation in the wild, the historical targeting of Managed File Transfer (MFT) solutions, such as the 2023 Cl0p ransomware campaigns targeting MOVEit Transfer, heightens the urgency of patching this vulnerability. The affected versions of MOVEit Automation include versions prior to 2024.0.0, versions 2024.0.0 before 2024.1.8, versions 2025.0.0 before 2025.0.9, and versions 2025.1.0 before 2025.1.5. Defenders should prioritize patching to prevent potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a specially crafted request to the MOVEit Automation server, exploiting CVE-2026-4670 (authentication bypass).\u003c/li\u003e\n\u003cli\u003eThe vulnerable MOVEit Automation software fails to properly validate the attacker\u0026rsquo;s identity, granting them unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the MOVEit Automation application with administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages CVE-2026-5174 (improper input validation) to further escalate privileges within the application.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates sensitive file transfer workflows, potentially modifying file permissions or altering transfer schedules.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data stored within MOVEit Automation.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker could deploy malicious scripts or backdoors to maintain persistence and control over the system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves complete control over the MOVEit Automation server, potentially impacting connected systems and data integrity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4670 allows an unauthenticated attacker to gain administrative access to Progress MOVEit Automation servers. This can lead to the compromise of sensitive data, disruption of file transfer workflows, and potential deployment of ransomware or other malicious payloads. Given the history of MOVEit products being targeted, a successful attack could have widespread impact across various sectors that rely on MOVEit for secure file transfer, potentially affecting thousands of organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch all affected MOVEit Automation installations to versions 2025.1.5 or later, 2025.0.9 or later, or 2024.1.8 or later as recommended by Progress Software to remediate CVE-2026-4670 and CVE-2026-5174.\u003c/li\u003e\n\u003cli\u003eUpscale monitoring and detection capabilities to identify any suspicious activity related to MOVEit Automation, as recommended by the CCB.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule \u0026ldquo;Detect MOVEit Automation Authentication Bypass Attempt\u0026rdquo; to identify potential exploitation attempts targeting CVE-2026-4670 based on web server logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T15:08:49Z","date_published":"2026-05-04T15:08:49Z","id":"/briefs/2026-05-moveit-auth-bypass/","summary":"A critical authentication bypass vulnerability (CVE-2026-4670) in Progress MOVEit Automation allows an unauthenticated remote attacker to gain administrative access, potentially leading to full control over the application and sensitive file transfer workflows.","title":"Critical Authentication Bypass Vulnerability in MOVEit Automation (CVE-2026-4670)","url":"https://feed.craftedsignal.io/briefs/2026-05-moveit-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — MOVEit Automation \u003c= 2025.1.4","version":"https://jsonfeed.org/version/1.1"}