Critical Authentication Bypass (CVE‑2026‑4670) & Privilege Escalation (CVE‑2026‑5174) in MOVEit Automation Threaten Enterprise File Transfer
What It Is – MOVEit Automation, Progress Software’s managed‑file‑transfer platform, contains two newly disclosed flaws: an authentication‑bypass (CVE‑2026‑4670) and a privilege‑escalation bug (CVE‑2026‑5174). Successful exploitation grants attackers unauthorized access to the backend command port and the ability to execute commands with administrative rights.
Exploitability – Both vulnerabilities are rated Critical (CVSS ≈ 9.8). No public proof‑of‑concepts have been released yet, but the flaws are trivial to weaponize once an exploit is crafted. No mitigations or work‑arounds exist; patching is the only defence.
Affected Products – MOVEit Automation versions ≤ 2025.1.4, ≤ 2025.0.8, and ≤ 2024.1.7. The product is widely deployed across finance, healthcare, logistics, and SaaS providers for automated file exchange.
TPRM Impact – A compromised MOVEit Automation instance can become a pivot point to harvest sensitive data, disrupt business‑critical pipelines, and expose downstream partners. Supply‑chain risk is amplified because many third‑party integrations rely on the same transfer engine.
Recommended Actions –
- Inventory all MOVEit Automation deployments and verify version numbers immediately.
- Apply Progress Software’s security patches for CVE‑2026‑4670 and CVE‑2026‑5174 without delay.
- Enforce network segmentation: restrict backend command‑port access to trusted management subnets only.
- Conduct a rapid risk assessment of data flows that traverse MOVEit to identify downstream exposure.
- Update third‑party risk registers to reflect the elevated threat level and communicate remediation status to affected vendors.
Source: Security Affairs – MOVEit automation flaws could enable full system compromise