Progress Software has issued an urgent security alert for its MOVEit Automation platform after researchers uncovered two critical vulnerabilities that could allow attackers to bypass authentication and seize administrative control over affected systems. Organizations are advised to apply available patches immediately.
The security bulletin, published on April 30, 2026, documents two flaws discovered by researchers at Airbus SecLab, both residing within the service backend command port interfaces of MOVEit Automation.
CVE-2026-4670 is an authentication bypass flaw that allows unauthenticated attackers to circumvent access controls and interact directly with protected system components.
CVE-2026-5174 is a privilege escalation vulnerability stemming from improper input validation, enabling a low-privileged attacker to elevate their access to administrative levels.
Successful chaining of both flaws could grant an attacker full administrative control of a targeted MOVEit Automation instance, exposing sensitive data, disrupting file-transfer workflows, and potentially enabling lateral movement across the broader network.
Administrators should monitor audit logs closely for unexpected privilege changes or anomalous backend activity as indicators of potential exploitation.
Affected Versions and Patched Releases
The vulnerabilities span several supported release branches. Progress Software has released patched versions for each:
- Version 2025.1.4 and earlier → upgrade to 2025.1.5
- Version 2025.0.8 and earlier → upgrade to 2025.0.9
- Version 2024.1.7 and earlier → upgrade to 2024.1.8
Administrators can verify their current version by navigating to the MOVEit Automation Web Admin portal → Help → About.
Mitigation:
Progress Software has confirmed that the only complete fix is to upgrade to a patched release using the full installer; partial updates or configuration changes are insufficient. Key remediation steps include:
- Download the full installer from the Progress Community portal (active maintenance required)
- Schedule a planned maintenance window, as the upgrade requires taking the system temporarily offline
- Organizations without an active maintenance agreement must contact a Progress sales representative or authorized partner to restore licensing access before patching.
- Subscribe to the Progress Alert and Notification Service to receive future security advisories directly via email
MOVEit has been a high-value target for threat actors since the mass-exploitation campaign in 2023, making timely patching of any newly disclosed vulnerabilities especially critical.
Given that both CVE-2026-4670 and CVE-2026-5174 affect the backend command interface, a deeply privileged attack surface, the risk of exploitation in unpatched environments remains severe. Delaying remediation significantly increases the risk of unauthorized access and data compromise.
No Comment! Be the first one.