The Emergency patches for critical and high vulnerabilities in MOVEit Automation that could allow unauthenticated remote attackers to seize full administrative control of exposed systems.
On April 30, 2026, A critical security alert bulletin disclosing two dangerous vulnerabilities in its widely deployed MOVEit Automation file transfer platform: CVE-2026-4670 (Authentication Bypass) and CVE-2026-5174 (Privilege Escalation).
Together, these flaws create a powerful kill chain that enables an unauthenticated remote attacker first to bypass authentication entirely and then escalate privileges to achieve administrative control of the compromised system.
Canada’s Center for Cyber Security (CCCS) also issued a corresponding national advisory (AV26-410) on the same day, underscoring the severity and broad organizational risk.
MOVEit Automation is a managed file transfer (MFT) solution used extensively by enterprises, government agencies, and critical infrastructure sectors to automate large-scale file workflows. Because MOVEit is commonly deployed as an internet-facing server, exposed instances represent exceptionally high-value targets for threat actors.
The history of MOVEit exploitation, most notably the 2023 Cl0p ransomware campaign that affected hundreds of organizations globally, gives this April 2026 advisory outsized urgency.
CVE-2026-4670: Authentication Bypass
Tracked under CWE-305 (Authentication Bypass by Primary Weakness), CVE-2026-4670 is classified as critical with a CVSS v3.1 base score of 9.8. The flaw exists within MOVEit Automation’s service backend command port interfaces.
It allows an unauthenticated, remote attacker to bypass the platform’s primary authentication controls without requiring any user interaction or prior privileges. Successful exploitation grants an attacker an unauthorized foothold into the system, paving the way for deeper compromise.
This vulnerability affects:
- MOVEit Automation from version 2025.0.0 before 2025.0.9
- MOVEit Automation from version 2024.0.0 before 2024.1.8
- All versions before 2024.0.0
CVE-2026-5174: Privilege Escalation
CVE-2026-5174, classified under CWE-20 (Improper Input Validation), is rated High with a CVSS v3.1 score of 7.7. This vulnerability enables a low-privileged attacker to escalate their permissions through improper input validation in MOVEit Automation’s backend interfaces, with a confirmed scope change and high availability impact.
When chained directly after CVE-2026-4670, an attacker achieves a seamless unauthenticated-to-administrative-access kill chain.
This vulnerability affects:
- MOVEit Automation from version 2025.1.0 before 2025.1.5
- MOVEit Automation from version 2025.0.0 before 2025.0.9
- MOVEit Automation from version 2024.0.0 before 2024.1.8
- All versions before 2024.0.0
Attack Chain
Security threat analysis describes the two vulnerabilities as potentially chained. CVE-2026-4670 first provides an unauthenticated foothold, and CVE-2026-5174 then grants elevated access within the product, enabling lateral movement across the broader network environment.
Indicators of compromise include unexpected privilege escalation events, unauthorized access alerts, and anomalous activity visible in MOVEit Automation audit logs.
The potential damage is significant: successful exploitation may lead to unauthorized access to sensitive file-transfer data, full administrative control of the MOVEit Automation server, and data exposure affecting any organization that relies on automated file workflows.
Given that MOVEit Automation is often positioned on network perimeters and handles regulated, high-value data such as financial records, healthcare files, and government documents, the blast radius of exploitation extends well beyond the application itself.
Security team confirmed that no public proof-of-concept exploit or in-the-wild exploitation had been observed at the time of initial disclosure, though the researchers who reported the flaws have not yet published technical details.
Patched Versions and Remediation
Progress Software strongly recommends an immediate upgrade to the fixed versions using the full installer partial or workaround-based remediation is explicitly not supported. Organizations should plan for a system outage window during the upgrade process.
| Affected Version | Fixed Version | Upgrade Documentation |
|---|---|---|
| MOVEit Automation ≤ 2025.1.4 (17.1.4) | 2025.1.5 | Progress Docs – 2025 Upgrade Guide |
| MOVEit Automation ≤ 2025.0.8 (17.0.8) | 2025.0.9 | Progress Docs – 2025 Upgrade Guide |
| MOVEit Automation ≤ 2024.1.7 (16.1.7) | 2024.1.8 | Progress Docs – 2024 Upgrade Guide |
Customers on active maintenance agreements can access the upgrade directly through the Community Portal. Those without active maintenance should contact a Sales Representative or authorized partner. To verify your current version, navigate to MOVEit Automation Web Admin → Help → About.
Security teams should treat this as a P1/critical incident given MOVEit’s historical targeting by ransomware groups. Recommended steps:
- Identify all instances of MOVEit Automation in your environment and check running versions immediately.
- Apply the full installer upgrade to versions 2025.1.5, 2025.0.9, or 2024.1.8 as appropriate.
- Review audit logs for signs of unexpected privilege escalation, unauthorized access attempts, or anomalous backend activity.
- Restrict network exposure of MOVEit Automation backend command ports as a temporary risk reduction measure while patching is scheduled.
FAQ
Q1: What is CVE-2026-4670 in MOVEit Automation?
CVE-2026-4670 is a critical authentication bypass flaw (CVSSv3.1: 9.8) in MOVEit Automation that allows unauthenticated remote attackers to bypass authentication controls through the service backend command port interfaces.
Q2: Can CVE-2026-4670 and CVE-2026-5174 be chained together?
Yes, CVE-2026-4670 provides the initial unauthenticated foothold, and CVE-2026-5174 escalates that access to administrative-level privileges, creating a full remote-to-admin compromise kill chain.
Q3: Which versions of MOVEit Automation are affected, and what should I upgrade to?
All versions of MOVEit Automation up to 2025.1.4, 2025.0.8, and 2024.1.7 are vulnerable; organizations must upgrade to 2025.1.5, 2025.0.9, or 2024.1.8, respectively, using the full installer.
Q4: Is there active exploitation of these MOVEit Automation vulnerabilities in the wild?
As of April 30, 2026, Progress Software had not confirmed active exploitation, but given MOVEit’s history as a high-priority ransomware target, organizations are urged to patch immediately, without waiting for confirmation.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
