JustAppSec
Back to news

Critical auth bypass in MOVEit Automation demands immediate patching

2 min readPublished 30 Apr 2026Updated 30 Apr 2026Source: CVEProject (cvelistV5)
CVE-2026-4670CVE-2026-5174NewsAccess ControlEnterprise Software

TL;DR - CVE-2026-4670 is an improper authentication flaw (CWE-305, CVSS 9.8) in MOVEit Automation that allows unauthenticated network access. Affected builds: everything before 2025.0.9 and 2024.1.8. If your instance is internet-facing, this is an emergency patch window.

What happened

MOVEit Automation is Progress Software's managed file transfer automation server - it orchestrates file movement across business-critical integrations and typically holds credentials for multiple downstream systems.

Two vulnerabilities were published on 30 April 2026:

  • CVE-2026-4670 (Critical, CVSS 9.8) - improper authentication (CWE-305). An unauthenticated attacker can bypass authentication entirely over the network.
  • CVE-2026-5174 (High, CVSS 7.7) - improper input validation (CWE-20). A low-privileged attacker can escalate privileges via a network-reachable path.

MOVEit Automation sits at a sensitive boundary: it brokers credentials and data movement between systems. An auth bypass here doesn't just expose the automation server - it can become a direct path into every integration it touches.

Who is impacted

  • Any deployment running an affected MOVEit Automation version.
  • Highest risk: instances where management surfaces or APIs are reachable from untrusted networks.
VulnerabilityAffected versionsSeverity
CVE-2026-46702025.0.0 to < 2025.0.9; 2024.0.0 to < 2024.1.8; 0 to < 2024.0.0CVSS 3.1 9.8 (Critical)
CVE-2026-51742025.1.0 to < 2025.1.5; 2025.0.0 to < 2025.0.9; 2024.0.0 to < 2024.1.8; 0 to < 2024.0.0CVSS 3.1 7.7 (High)

What to do now

  • Patch to a fixed version immediately.
    • For CVE-2026-4670: upgrade out of 2025.0.0 to < 2025.0.9 and out of 2024.0.0 to < 2024.1.8.
    • For CVE-2026-5174: also ensure you are not running 2025.1.0 to < 2025.1.5.
  • Inventory every instance - production, DR, and non-production alike. Map which ones expose management or API surfaces to untrusted networks.
  • Assume credential exposure is possible for any workflows that used MOVEit Automation for downstream access. If you have any reason to suspect unauthorized access, rotate credentials held by the MOVEit Automation service account and any integration endpoints it reaches.
  • Increase monitoring during rollout:
    • watch for unexpected authentication successes and failures, and any administrative changes that shouldn't be there
    • review outbound connections and automation task activity for anomalies covering the vulnerability window

Related

Research

Guides

Training

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.

Need help?Get in touch.