Patches for Critical MOVEit Automation Auth Bypass and Privilege Bugs

Progress Software has released updates to address two vulnerabilities in MOVEit Automation, one of which is the critical authentication bypass CVE-2026-4670 (CVSS 9.8) that allows unauthorized access to the system and administrative control, and the other is the input validation error CVE-2026-5174 (CVSS 7.7), which leads to privilege escalation. Server deployments of the managed file transfer solution in enterprise environments are affected; there are no workarounds, so organizations need to install the patches as quickly as possible to reduce the risk of compromise and data leakage.

Technical details of the vulnerabilities

MOVEit Automation (formerly Central) is a server-side managed file transfer (MFT) solution that automates and schedules data movement between systems without custom scripts. This makes it a highly critical infrastructure component: it handles large volumes of sensitive data and executes integration processes.

The vulnerabilities affect vendor-supported versions of MOVEit Automation (specific releases are listed in the official Progress advisory and are not provided in the source material). According to the vendor’s description, both flaws are exposed through the service’s backend command port interfaces:

• CVE-2026-4670, CVSS 9.8 — a critical authentication bypass vulnerability. Incorrect server-side authentication logic allows an attacker to interact with the backend interface as if they had already been authenticated. From a threat-model standpoint, this is equivalent to gaining unauthorized access to a highly privileged API.
• CVE-2026-5174, CVSS 7.7 — an “improper input validation” vulnerability that can lead to privilege escalation. Under certain conditions, improperly handled parameters sent to the service allow a local or authenticated user to escalate their privileges to a higher level.

The Progress advisory specifically emphasizes that the combination of these backend interface vulnerabilities can result in authentication bypass followed by privilege escalation, ultimately giving an attacker:

• unauthorized access to the MOVEit Automation system;
• administrative control over the installation;
• access to data and potential data disclosure.

Airbus SecLab researchers — Anaïs Gantet, Delphine Gourdou, Quentin Liddell, and Matteo Ricordeau — received official credit for discovering and responsibly disclosing both vulnerabilities. The vendor states that there are no effective workarounds: the risk can only be eliminated by applying updates.

At the time the advisory was published, there were no reports of confirmed exploitation of these vulnerabilities “in the wild.” Nonetheless, both entries are already present (or will be present) in the NVD database, which makes it possible to track their lifecycle and changes in risk scoring: CVE-2026-4670 in NVD, CVE-2026-5174 in NVD.

Threat context: why MOVEit and MFT systems

Managed file transfer systems, of which MOVEit Automation is one, occupy a unique position: they simultaneously:

• are connected to mission-critical business applications and data repositories;
• process and move sensitive files (financial data, personal data, reports, exports from ERP/CRM);
• often have broad network permissions to access internal and external systems.

This is why previous vulnerabilities in another product in the same line — MOVEit Transfer — have already attracted the attention of extortion groups, including the Cl0p gang, which exploited such flaws to gain access to organizations’ data. The source material explicitly notes that earlier vulnerabilities in MOVEit Transfer were used by ransomware groups such as Cl0p, demonstrating sustained attacker interest in this vendor and class of solutions.

In essence, the vulnerabilities described in the advisory fall under the MITRE ATT&CK technique Exploit Public-Facing Application (T1190) if backend interfaces are reachable from untrusted networks. Even if they are nominally considered “internal,” in practice, segmentation errors, VPN access issues, or firewall misconfigurations often make such ports reachable to an attacker after an initial foothold in the network.

Impact assessment for organizations

The highest risk is to organizations for which MOVEit Automation is the central hub for integration and file exchange between:

• internal systems (ERP, CRM, accounting systems, data warehouses);
• external counterparties and services (banks, suppliers, partners);
• cloud platforms and data centers.

Potential consequences if updates are not applied in a timely manner:

• Compromise of confidential data. MOVEit Automation works with ready-made exports from business systems that often contain aggregated, structured, and already filtered data — in other words, information that is particularly valuable to an attacker.
• Full control over the automation system. Authentication bypass combined with privilege escalation may allow an attacker to modify jobs, redirect data flows, inject malicious files or backdoors into the pipeline.
• Lateral movement within the infrastructure. Using credentials, keys, and connections stored in the MOVEit Automation configuration, an attacker can move further across the network and gain access to other systems.
• Regulatory and legal risks. Since MFT systems are often used to exchange personal and financial data, a leak through such a hub may trigger regulator notifications, fines, and mandatory communication with customers and partners.

Even if the MOVEit Automation installation is not formally accessible from the internet, the risk remains significant: if any other node in the network is compromised, an attacker may attempt to use the vulnerable backend interfaces for rapid privilege escalation and data access.

Practical recommendations for reducing risk

1. Immediate updating and prioritization

• Identify all MOVEit Automation instances in your infrastructure (including test and backup), using your inventory, CMDB, and network scans.
• Match installed versions against the list of vulnerable ones given in the Progress advisory (see also the NVD entries: CVE-2026-4670, CVE-2026-5174).
• Plan the update as a top priority within your vulnerability management process: the critical authentication bypass flaw (CVSS 9.8) justifies emergency patching with minimal testing windows.

2. Restricting network access to the backend command port

Even with patches installed, you should minimize the exposure of highly privileged interfaces:

• Identify the ports and interfaces used for backend access to MOVEit Automation (based on product documentation and actual configuration).
• Restrict access to them to administrative hosts and necessary services only, using network access control lists and firewalls.
• Block access to these interfaces from user segments, general-purpose VPN pools, and especially from zones exposed to the internet.

3. Strengthening monitoring and searching for possible signs of exploitation

Since there is no confirmed information on active exploitation, it is advisable to proactively review logs and telemetry:

• Analyze MOVEit Automation authentication logs for:
  • suspect successful logins from unusual sources;
  • multiple attempts to access administrative functions;
  • creation of new high-privilege accounts or changes to roles of existing ones.
• Review the history of jobs and automation scripts for unexpected changes, the appearance of new jobs, or retargeting of destination systems.
• Correlate network logs (firewall, proxy, intrusion detection systems) with the time windows when vulnerable versions were deployed, in order to identify anomalous access to backend interfaces.

4. Temporary compensating controls before applying patches

If immediate updating is not possible for operational reasons, you should implement partial risk reduction measures, understanding that they do not replace fixing the vulnerabilities:

• Where possible, temporarily limit or disable external integrations that use the backend command port, keeping only those strictly necessary for business continuity.
• Move MOVEit Automation instances into a maximally isolated network segment, minimizing the number of routes and trusted zones.
• Strengthen access control for administrative accounts used to manage MOVEit Automation (multi-factor authentication, time-limited tokens, additional confirmation procedures for high-risk operations).

The key action for all organizations using MOVEit Automation is to install, in the nearest maintenance window, the available updates that fix CVE-2026-4670 and CVE-2026-5174, and at the same time review the network exposure of the service’s backend interfaces, restricting them to only strictly necessary sources.