Progress patches MOVEit Automation auth-bypass bug

Progress Software has released updates for MOVEit Automation to fix a critical authentication-bypass vulnerability and an input-validation flaw that can lead to privilege escalation. The company warned that the issues could allow unauthorized access, administrative control and data exposure if systems are not updated.

MOVEit Automation is a server-based managed file transfer product used to schedule and automate file workflows in enterprise environments. The authentication bypass is tracked as CVE-2026-4670 with a CVSS score of 9.8. The input-validation issue is CVE-2026-5174 with a CVSS score of 7.7.

In its advisory, Progress warned: “Critical and high vulnerabilities in MOVEit Automation may allow authentication bypass and privilege escalation through the service backend command port interfaces. Exploitation may lead to unauthorized access, administrative control, and data exposure.” The advisory does not report any confirmed active exploitation at the time of publication.

Affected releases and their patched versions are listed by Progress: systems running MOVEit Automation versions up to 2025.1.4 should be updated to 2025.1.5; versions up to 2025.0.8 should move to 2025.0.9; and versions up to 2024.1.7 should be upgraded to 2024.1.8. Progress noted there are no workarounds that mitigate these specific vulnerabilities.

Progress credited researchers at Airbus SecLab — Anaïs Gantet, Delphine Gourdou, Quentin Liddell and Matteo Ricordeau — for discovering and reporting the defects. The vendor advised applying the provided updates promptly to address the flaws.

Previous vulnerabilities in the related MOVEit Transfer product have been exploited by ransomware groups such as Cl0p. System owners should confirm their MOVEit Automation version, install the appropriate patched release and verify that services and access controls are functioning correctly after the update.