Progress has patched two serious security vulnerabilities in MOVEit Automation. The first, CVE-2026-4670, scores a critical 9.8 on the CVSS scale and allows for authentication bypass. The second, CVE-2026-5174, enables attackers to gain administrative privileges. Upgrading to a secure version is the only solution.
CVE-2026-4670 involves an authentication bypass via the service’s backend command port interfaces. With a CVSS score of 9.8, it falls into the most severe category. An attacker without valid credentials can gain remote access to the system without requiring user interaction.
The second vulnerability, CVE-2026-5174, is directly related to the first. An attacker who has gained access via the bypass can escalate their privileges to the administrator level due to insufficient input validation. The CVSS score for this vulnerability is 7.7. Together, these two vulnerabilities create a path from unauthorized access to full administrative control and potential data exposure.
Both vulnerabilities were discovered by researchers at Airbus SecLab: Anaïs Gantet, Delphine Gourdou, Quentin Liddell, and Matteo Ricordeau. Affected versions are MOVEit Automation 2025.1.4 and older, 2025.0.8 and older, and 2024.1.7 and older. According to Bleeping Computer, more than 1,400 MOVEit Automation instances are publicly accessible via the internet. No confirmed exploits in the wild have been reported at this time.
Upgrade is the only remedy
Progress makes it clear that no alternative mitigation is available. “Upgrading to a patched release, using the full installer, is the only way to remediate this issue,” according to Progress. There will be a service interruption during installation.
Secure versions are 2025.1.5, 2025.0.9, and 2024.1.8. Users with an active maintenance contract can download the upgrade via the Progress Community portal. To check your version, go to MOVEit Automation Web Admin and select Help → About. MOVEit has previously been the target of targeted attacks, such as the large-scale Clop ransomware campaign in 2023.