Progress Warns of Critical MOVEit Automation Authentication Bypass Flaw

What happened

Progress Software has warned customers to patch a critical authentication bypass vulnerability in MOVEit Automation, its enterprise managed file transfer platform, tracked as CVE-2026-4670. The flaw affects MOVEit Automation versions before 2025.1.5, 2025.0.9, and 2024.1.8, and can be exploited remotely without privileges or user interaction in low-complexity attacks.

Progress published a Thursday advisory strongly recommending immediate upgrade to the latest version using the full installer, noting that upgrading is the only way to remediate the issue and will require a system outage during the process. The same day, Progress released a fix for a second vulnerability, CVE-2026-5174, a high-severity privilege escalation flaw stemming from improper input validation in the same software.

A Shodan search identified over 1,400 MOVEit Automation instances exposed online, with over a dozen linked to US local and state government agencies. Progress has not flagged either vulnerability as actively exploited in the wild, but MOVEit’s history makes the risk profile significant. In 2023, the Clop ransomware gang exploited a zero-day in MOVEit Transfer in a mass data theft campaign affecting more than 2,100 organizations and over 62 million individuals. Clop has repeatedly targeted MFT platforms including Accellion FTA, SolarWinds Serv-U, GoAnywhere MFT, and Cleo in similar campaigns. MOVEit MFT solutions are used by more than 3,000 enterprise organizations and over 100,000 users worldwide.

Who is affected

Any organization running MOVEit Automation versions prior to the patched releases is directly exposed. The over 1,400 internet-facing instances identified by Shodan represent the highest-risk population, including government agencies. Organizations that use MOVEit Automation as a central orchestrator for file transfers between internal systems, cloud storage, and external partners face potential exposure of the data flows those workflows manage.

Why CISOs should care

MOVEit is one of the most targeted MFT platforms in recent history, and the 2023 Clop campaign demonstrated the scale of damage that a single exploited vulnerability in this software category can produce. A critical authentication bypass that requires no privileges and no user interaction, combined with over 1,400 internet-exposed instances, is a combination that historically attracts rapid exploitation once technical details circulate. The requirement to use a full installer and accept a system outage to remediate also means this is not a patch organizations can apply quietly in the background.

3 practical actions

1. Upgrade MOVEit Automation to the patched release immediately and plan for the required system outage: CVE-2026-4670 can only be remediated by upgrading using the full installer. Schedule the upgrade as an emergency change and accept the associated downtime rather than deferring it to a standard maintenance window given the vulnerability’s severity and MOVEit’s targeting history.
2. Restrict internet exposure of MOVEit Automation instances where operationally possible: With over 1,400 instances publicly accessible, reducing the attack surface by placing MOVEit Automation behind a VPN or network perimeter control limits the exploitable population while patching is completed, particularly for government and enterprise deployments handling sensitive data transfers.
3. Review MOVEit Automation audit logs for anomalous authentication activity: Given that exploitation has not yet been confirmed but the vulnerability is public and MOVEit is an historically targeted platform, review authentication logs for unexpected access patterns, particularly unauthenticated requests that resulted in successful sessions, which could indicate exploitation attempts prior to patching.