{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/moveit-automation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-4670"},{"cvss":7.7,"id":"CVE-2026-5174"}],"_cs_exploited":true,"_cs_products":["MOVEit Automation","MOVEit Automation \u003c= 2025.1.4","MOVEit Automation \u003c= 2025.0.8","MOVEit Automation \u003c= 2024.1.7"],"_cs_severities":["critical"],"_cs_tags":["authentication-bypass","privilege-escalation","cve-2026-4670","cve-2026-5174","webserver"],"_cs_type":"threat","_cs_vendors":["Progress Software"],"content_html":"\u003cp\u003eProgress MOVEit Automation is affected by a critical authentication bypass vulnerability, CVE-2026-4670, which has a CVSS score of 9.8. Successful exploitation allows an unauthenticated remote attacker to gain administrative access to the vulnerable service. Additionally, a high severity privilege escalation vulnerability, CVE-2026-5174, exists due to improper input validation. While there is no current evidence of active exploitation in the wild, the historical targeting of Managed File Transfer (MFT) solutions, such as the 2023 Cl0p ransomware campaigns targeting MOVEit Transfer, heightens the urgency of patching this vulnerability. The affected versions of MOVEit Automation include versions prior to 2024.0.0, versions 2024.0.0 before 2024.1.8, versions 2025.0.0 before 2025.0.9, and versions 2025.1.0 before 2025.1.5. Defenders should prioritize patching to prevent potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a specially crafted request to the MOVEit Automation server, exploiting CVE-2026-4670 (authentication bypass).\u003c/li\u003e\n\u003cli\u003eThe vulnerable MOVEit Automation software fails to properly validate the attacker\u0026rsquo;s identity, granting them unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the MOVEit Automation application with administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages CVE-2026-5174 (improper input validation) to further escalate privileges within the application.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates sensitive file transfer workflows, potentially modifying file permissions or altering transfer schedules.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data stored within MOVEit Automation.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker could deploy malicious scripts or backdoors to maintain persistence and control over the system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves complete control over the MOVEit Automation server, potentially impacting connected systems and data integrity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4670 allows an unauthenticated attacker to gain administrative access to Progress MOVEit Automation servers. This can lead to the compromise of sensitive data, disruption of file transfer workflows, and potential deployment of ransomware or other malicious payloads. Given the history of MOVEit products being targeted, a successful attack could have widespread impact across various sectors that rely on MOVEit for secure file transfer, potentially affecting thousands of organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch all affected MOVEit Automation installations to versions 2025.1.5 or later, 2025.0.9 or later, or 2024.1.8 or later as recommended by Progress Software to remediate CVE-2026-4670 and CVE-2026-5174.\u003c/li\u003e\n\u003cli\u003eUpscale monitoring and detection capabilities to identify any suspicious activity related to MOVEit Automation, as recommended by the CCB.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule \u0026ldquo;Detect MOVEit Automation Authentication Bypass Attempt\u0026rdquo; to identify potential exploitation attempts targeting CVE-2026-4670 based on web server logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T15:08:49Z","date_published":"2026-05-04T15:08:49Z","id":"/briefs/2026-05-moveit-auth-bypass/","summary":"A critical authentication bypass vulnerability (CVE-2026-4670) in Progress MOVEit Automation allows an unauthenticated remote attacker to gain administrative access, potentially leading to full control over the application and sensitive file transfer workflows.","title":"Critical Authentication Bypass Vulnerability in MOVEit Automation (CVE-2026-4670)","url":"https://feed.craftedsignal.io/briefs/2026-05-moveit-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MOVEit Automation"],"_cs_severities":["high"],"_cs_tags":["vulnerability","privilege-escalation","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Progress Software"],"content_html":"\u003cp\u003eProgress Software\u0026rsquo;s MOVEit Automation is susceptible to multiple vulnerabilities that, if exploited, could allow an attacker to circumvent existing security measures and escalate privileges within the system. While specific details on the vulnerabilities are lacking, the advisory indicates a potential for significant impact on the confidentiality, integrity, and availability of systems utilizing the affected software. This is especially concerning given the role of MOVEit Automation in managing and transferring sensitive files, making it a high-value target for malicious actors seeking to exfiltrate data or disrupt business operations. Defenders should prioritize identifying and patching vulnerable instances of MOVEit Automation to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable MOVEit Automation instance.\u003c/li\u003e\n\u003cli\u003eAttacker exploits a vulnerability to gain initial access to the system. Due to lack of specifics, it is unknown how initial access occurs.\u003c/li\u003e\n\u003cli\u003eAttacker bypasses security measures using an unspecified exploit.\u003c/li\u003e\n\u003cli\u003eAttacker escalates privileges within the MOVEit Automation environment.\u003c/li\u003e\n\u003cli\u003eAttacker leverages escalated privileges to access sensitive data or system configurations.\u003c/li\u003e\n\u003cli\u003eAttacker moves laterally within the network, exploiting the compromised MOVEit Automation instance as a pivot point.\u003c/li\u003e\n\u003cli\u003eAttacker exfiltrates sensitive data or deploys malicious payloads to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could lead to unauthorized access to sensitive data, system compromise, and potential disruption of business operations. The lack of specific details makes it difficult to quantify the exact number of victims or sectors targeted. However, given the widespread use of MOVEit Automation in various industries, a successful attack could have far-reaching consequences, including financial losses, reputational damage, and regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security patches provided by Progress Software for MOVEit Automation to remediate the vulnerabilities.\u003c/li\u003e\n\u003cli\u003eMonitor MOVEit Automation logs for suspicious activity indicative of exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a successful attack on MOVEit Automation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T10:24:10Z","date_published":"2026-05-04T10:24:10Z","id":"/briefs/2026-05-moveit-automation-vulns/","summary":"Multiple vulnerabilities in Progress Software MOVEit Automation can be exploited by an attacker to bypass security measures or gain elevated privileges.","title":"Multiple Vulnerabilities in Progress Software MOVEit Automation","url":"https://feed.craftedsignal.io/briefs/2026-05-moveit-automation-vulns/"}],"language":"en","title":"CraftedSignal Threat Feed — MOVEit Automation","version":"https://jsonfeed.org/version/1.1"}