Critical MOVEit Automation Auth Bypass Patched, CVSS 9.8

Progress Software shipped fixes for two flaws in MOVEit Automation, its server-based managed file transfer scheduler. The headline issue, CVE-2026-4670, is a 9.8-severity authentication bypass in the service backend command port interfaces. A second bug, CVE-2026-5174 (7.7), is an input validation weakness that enables privilege escalation. Chained or used independently, exploitation can yield unauthorized access, administrative control, and data exposure.

Fixed builds are 2025.1.5, 2025.0.9, and 2024.1.8; everything at or below those branches is vulnerable, and Progress offers no workaround. Discovery is credited to four Airbus SecLab researchers. No in-the-wild exploitation has been reported yet.

The urgency is historical rather than telemetric. MOVEit Transfer was the entry point for the 2023 Cl0p mass-exploitation campaign that hit hundreds of organizations, and ransomware crews actively monitor Progress advisories for the next reusable MFT primitive. An unauthenticated bypass on an enterprise file-movement backend is exactly that primitive, so patch windows here should be measured in hours, not weeks.