Progress Software has patched a near-maximum severity authentication bypass in MOVEit Automation — the managed file transfer product whose predecessor became the vehicle for one of the most destructive ransomware campaigns in history, and whose security community knows attackers are watching closely.
What CVE-2026-4670 and CVE-2026-5174 Do to MOVEit Automation
Progress Software disclosed two vulnerabilities in MOVEit Automation in early May 2026. The more critical of the two, CVE-2026-4670, carries a CVSS score of 9.8 — essentially the highest severity a vulnerability can receive. It enables authentication bypass through the product’s service backend command port interfaces. A successful attack provides unauthorized administrative access without valid credentials.
The second flaw, CVE-2026-5174 (CVSS 7.7), enables privilege escalation through improper input validation. Used in sequence, the pair gives an attacker a path from zero access to elevated control over a MOVEit Automation environment — the kind of access needed to intercept, modify, or exfiltrate the files flowing through the system.
Affected versions span three active release branches: MOVEit Automation 2025.1.4 and earlier, 2025.0.8 and earlier, and 2024.1.7 and earlier. Fixed versions are available. Progress reports no active exploitation at the time of disclosure and recommends immediate patching with no available workarounds.
The vulnerabilities were discovered by researchers at Airbus SecLab.
Why the History Makes This Urgent
MOVEit Automation is the product line that organizations use to automate and schedule managed file transfers — payroll files, health records, financial transactions, regulatory submissions. In enterprise environments, it handles some of the most sensitive data in motion.
The urgency context that security teams need to internalize is what happened in 2023. A critical remote code execution vulnerability in MOVEit Transfer (CVE-2023-34362) was exploited by the Cl0p ransomware group in a mass exploitation campaign. Over a roughly four-week period, Cl0p compromised more than 2,700 organizations and stole an estimated 93 million records. Victims included government agencies, universities, airlines, financial firms, and healthcare systems. It remains one of the largest single-campaign data theft events on record.
That campaign demonstrated something important: when a critical MOVEit vulnerability becomes public, exploitation begins within hours, not days. Cl0p had apparently prepared for the campaign before disclosure, moving immediately once the flaw was published. Security teams that moved at a deliberate pace were too slow.
Cl0p’s Demonstrated Playbook
The Cl0p group has a known and documented pattern of targeting managed file transfer products. Before MOVEit Transfer, Cl0p exploited vulnerabilities in GoAnywhere MFT and Accellion FTA. The pattern is consistent: identify a critical flaw in a product used to move sensitive data, exploit at scale in a compressed window, steal data, and extort victims.
MOVEit Automation processes the same category of data that made MOVEit Transfer attractive. The product name and architectural differences between Transfer and Automation are immaterial to the threat actor — what matters is the data inside and the organizations trusting the platform to protect it.
Whether Cl0p or another group moves first on CVE-2026-4670, the 2023 campaign established that the exploitation window for critical MOVEit flaws is measured in hours after public disclosure.
Patching CVE-2026-4670 Before the Cl0p Exploitation Window Opens
Organizations running MOVEit Automation should treat this as an emergency patching situation, not a routine update cycle. The specific actions:
Patch immediately. Upgrade to MOVEit Automation 2025.1.5, 2025.0.9, or 2024.1.8 depending on the version in use. Progress offers no workaround, which means patching is the only mitigation.
Audit network exposure. MOVEit Automation’s command port interfaces should not be accessible from the public internet. Organizations should verify that access to these interfaces is restricted to known, authorized systems and users.
Check for indicators of compromise. Even without confirmed active exploitation at disclosure, the gap between disclosure and patching represents a window of risk. Organizations should review authentication logs, file transfer activity logs, and any unusual administrative changes for the period following disclosure.
Review downstream data flows. Because MOVEit Automation handles scheduled file transfers, compromise of the platform could intercept sensitive data from multiple upstream and downstream systems without any of those systems being directly attacked. The risk is not just to MOVEit but to everything it touches.
The 2023 campaign was a warning about what happens when organizations treat managed file transfer platforms as low-priority IT infrastructure. That lesson remains relevant.
