Overview
CVE-2026-4670 is a critical authentication bypass vulnerability affecting Progress Software MOVEit Automation, a managed file transfer automation product used by organizations to schedule, control, and automate file movement between systems. Progress assigned the vulnerability a CVSS 3.1 score of 9.8, which places it in the Critical severity range. The vector is:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
That score means the issue can be exploited over the network, requires low attack complexity, does not require authentication, does not require user interaction, and could have high impact on confidentiality, integrity, and availability. NVD lists the CVE but, at the time of writing, says its own NIST assessment has not yet been provided, while the CNA score from Progress is 9.8 Critical.
What Is MOVEit Automation?
MOVEit Automation is part of the Progress MOVEit product family. It is used to automate secure file transfer workflows in enterprise environments. In simple terms, it helps organizations move files between servers, applications, partners, and internal systems without relying on manual work or custom scripts.
A business might use MOVEit Automation to:
- Schedule payroll file transfers
- Move financial reports between systems
- Exchange data with vendors or partners
- Automate recurring SFTP, FTP/S, or file-system transfers
- Coordinate file movement with MOVEit Transfer or other storage systems
It is important not to confuse MOVEit Automation with MOVEit Transfer. MOVEit Transfer is generally the secure file transfer server used to store and exchange files, while MOVEit Automation is the workflow and scheduling engine that automates file movement tasks.
Because these systems often handle sensitive business files and stored credentials, a serious vulnerability in MOVEit Automation can create significant risk.
Vulnerability Summary
CVE-2026-4670 is described as an "Authentication Bypass by Primary Weakness" vulnerability. The associated weakness is CWE-305, which refers to authentication bypass caused by a primary weakness in the authentication process.
In plain language, an authentication bypass means an attacker may be able to access functionality or interfaces that should require a valid login. Since this vulnerability has a PR:N rating, exploitation does not require the attacker to already have an account or valid credentials.
Progress says the issue affects the following MOVEit Automation versions:
| Product | Affected versions | Fixed version |
|---|---|---|
| MOVEit Automation 2025.1.x | 2025.1.4 and earlier | 2025.1.5 or later |
| MOVEit Automation 2025.0.x | 2025.0.0 through 2025.0.8 | 2025.0.9 or later |
| MOVEit Automation 2024.x | 2024.0.0 through 2024.1.7 | 2024.1.8 or later |
| Older versions | Versions prior to 2024.0.0 | Upgrade to a supported fixed release |
Progress and national cybersecurity advisories recommend patching affected systems urgently.
Why the CVSS Score Is So High
The CVSS vector tells us a lot about the practical risk:
| Metric | Meaning | Why it matters |
|---|---|---|
| AV:N | Network exploitable | The attacker does not need local system access |
| AC:L | Low attack complexity | Exploitation does not require unusual conditions |
| PR:N | No privileges required | The attacker does not need a valid account |
| UI:N | No user interaction | No phishing click or user action is required |
| S:U | Scope unchanged | Impact remains within the vulnerable security authority |
| C:H | High confidentiality impact | Sensitive data may be exposed |
| I:H | High integrity impact | Data or configurations may be modified |
| A:H | High availability impact | Systems or services may be disrupted |
That combination is why the CNA score is 9.8 Critical. A remotely reachable authentication bypass in a file-transfer automation platform is especially serious because the product may have access to stored credentials, transfer rules, business workflows, logs, and sensitive files.
Potential Impact
A successful attack could lead to unauthorized access to a MOVEit Automation environment. Progress has warned that the related vulnerabilities may lead to unauthorized access, administrative control, and data exposure.
Depending on how MOVEit Automation is configured, attackers could potentially gain access to:
- File transfer tasks and schedules
- Credentials used in automated transfers
- Internal and external file-transfer destinations
- Sensitive business data such as financial, payroll, legal, healthcare, customer, or partner files
- Audit logs and operational details that reveal how the organization moves data
This kind of access can become more damaging if the system is integrated with internal file shares, cloud storage, partner systems, or other enterprise platforms.
Related Vulnerability: CVE-2026-5174
Progress also disclosed CVE-2026-5174, a separate improper input validation vulnerability that may allow privilege escalation in MOVEit Automation. It has a reported CVSS score of 7.7 High.
The two issues are concerning together because an attacker could theoretically use an authentication bypass to gain initial access, then use a privilege escalation flaw to increase control within the application. Public advisories describe the combined risk as potentially leading to administrative control and data exposure.
Is There Public Exploit Code?
At the time of writing, public reporting indicates that Progress and other parties have not released technical exploit details. Help Net Security also notes that technical details were not released.
That said, organizations should not treat the absence of public proof-of-concept code as safety. MOVEit products have been heavily targeted in the past, and file-transfer systems are attractive to ransomware and data-extortion groups because they often process large volumes of sensitive data.
How to Remediate
The primary fix is to upgrade MOVEit Automation to a patched release.
Recommended fixed versions:
- MOVEit Automation 2025.1.5 or later
- MOVEit Automation 2025.0.9 or later
- MOVEit Automation 2024.1.8 or later
Progress has stated that upgrading with the full installer is the remediation path, and that there will be system downtime while the upgrade is running.
Recommended Defensive Actions
Organizations using MOVEit Automation should treat this as an urgent patching event.
1. Identify exposed MOVEit Automation systems
Start by finding all MOVEit Automation instances, especially those reachable from the internet or from partner networks. Include production, disaster recovery, test, and legacy servers.
2. Confirm the installed version
Check whether each instance is running one of the affected versions. Systems running 2025.1.4 or earlier, 2025.0.8 or earlier, 2024.1.7 or earlier, or versions older than 2024.0.0 should be considered vulnerable unless patched.
3. Upgrade to a fixed version
Apply the vendor update as soon as practical. Because the upgrade may require downtime, coordinate with business teams that depend on automated file transfers.
4. Review logs for suspicious activity
Progress has recommended looking for signs such as unexpected privilege escalation, unauthorized access, or anomalous activity in audit logs.
Security teams should review:
- Login and authentication events
- Administrative changes
- Newly created or modified automation tasks
- Changes to credentials, endpoints, scripts, or transfer destinations
- Unexpected file transfers
- Connections from unusual IP addresses
- Activity outside normal business hours
5. Rotate sensitive credentials
Because MOVEit Automation often stores credentials used for file transfers, consider rotating secrets associated with affected systems, especially if logs show suspicious activity or the system was internet-accessible before patching.
This may include SFTP credentials, service account passwords, API keys, SSH keys, cloud storage tokens, and partner exchange credentials.
6. Restrict network access
MOVEit Automation should not be broadly reachable unless absolutely required. Limit access to trusted administrative networks, VPNs, jump hosts, and approved partner IP ranges.
7. Monitor for downstream impact
If the system was exposed, review whether attackers could have accessed files, modified workflows, or used stored credentials to reach other systems.
Why This Vulnerability Matters
CVE-2026-4670 matters because it affects a product category that sits close to sensitive business data. Managed file transfer systems are often trusted bridges between internal systems, external partners, and regulated data flows. When authentication can be bypassed, the attacker may not need to break into a workstation or steal a password first.
The safest response is simple: identify affected systems, patch quickly, review logs, rotate exposed credentials where needed, and reduce unnecessary network exposure.
Key Takeaways
CVE-2026-4670 is a Critical 9.8 authentication bypass vulnerability in Progress MOVEit Automation. It affects multiple supported and older versions and should be patched immediately. The main risk is unauthorized access to a system that may control sensitive file-transfer workflows and credentials. Organizations should upgrade to 2025.1.5, 2025.0.9, 2024.1.8, or later, then review logs and credentials for signs of compromise.