Executive Summary
Progress Software has disclosed two vulnerabilities in MOVEit Automation — CVE-2026-4670 (CVSS 9.8, Critical) and CVE-2026-5174 (CVSS 7.7, High) — that together enable unauthenticated remote attackers to gain full administrative control of affected instances. With over 1,400 internet-exposed MOVEit Automation servers and a history of devastating ransomware exploitation tied to the MOVEit platform, organizations must treat patching as an emergency: upgrade to a fixed release immediately, as no workaround or partial mitigation fully addresses these flaws.
1. What Is This Vulnerability?
MOVEit Automation is an enterprise managed file transfer (MFT) orchestration platform used by government agencies, banks, healthcare providers, and supply chain operators to automate secure file movement between internal and external systems. It stores credentials, schedules transfers, and integrates with dozens of business-critical destinations.
CVE-2026-4670 — Authentication Bypass (CVSS 9.8)
The root cause is an authentication bypass in MOVEit Automation's service backend command port interface — an internal API endpoint used for administrative operations. An attacker with network access to this interface can craft specially formed requests that circumvent the authentication gate entirely without providing valid credentials.
- CWE Classification: CWE-287 (Improper Authentication)
- Attack Vector: Network (AV:N)
- Attack Complexity: Low (AC:L)
- Privileges Required: None (PR:N)
- User Interaction: None (UI:N)
In practical terms, any system that can reach MOVEit Automation's backend service port — whether from the internet or laterally from within an internal network — can authenticate as an administrator with a single malformed request.
CVE-2026-5174 — Privilege Escalation via Input Validation Flaw (CVSS 7.7)
This companion vulnerability arises from improper input validation (CWE-20) in the same service backend interface. An already-authenticated user (even one with restricted permissions) can submit specially crafted input to escalate their privileges to administrative level. When chained with CVE-2026-4670, an attacker doesn't need a valid account at all: bypass auth first, then escalate to full admin in a second step.
Attack Vector
The attack chain is straightforward:
- Reconnaissance: Identify exposed MOVEit Automation instances via Shodan, Censys, or passive DNS. The service backend port is often exposed alongside the web UI.
- Auth Bypass (CVE-2026-4670): Send malformed requests to the backend command port that skip the authentication check, gaining an unauthenticated session.
- Privilege Escalation (CVE-2026-5174): Submit crafted input to the escalation-vulnerable endpoint to upgrade session permissions to administrator.
- Credential Harvesting: Extract plaintext or reversibly encrypted credentials stored within MOVEit Automation tasks (FTP, SFTP, HTTP, cloud storage passwords).
- Lateral Movement / Data Exfiltration: Use harvested credentials to pivot into connected systems or directly exfiltrate scheduled transfer payloads.
Real-World Impact
The MOVEit Transfer vulnerability exploited by the Cl0p ransomware group in 2023 (CVE-2023-34362) resulted in data theft from over 1,000 organizations including Shell, the BBC, British Airways, and dozens of U.S. government agencies. MOVEit Automation is the workflow orchestration layer that sits on top of Transfer infrastructure — meaning a compromised Automation instance can expose not just data in transit but every credential and integration across an organization's entire MFT ecosystem. Progress Software has not yet confirmed active exploitation of CVE-2026-4670 in the wild, but given historical targeting of this platform, the window between disclosure and active exploitation may be extremely short.
2. Who Is Affected?
Affected Product: Progress MOVEit Automation
| Product Version Branch | Vulnerable Through | Fixed In |
|---|---|---|
| 2024.1.x (16.1.x) | 2024.1.7 (16.1.7) and earlier | 2024.1.8 (16.1.8) |
| 2025.0.x (17.0.x) | 2025.0.8 (17.0.8) and earlier | 2025.0.9 (17.0.9) |
| 2025.1.x (17.1.x) | 2025.1.4 (17.1.4) and earlier | 2025.1.5 (17.1.5) |
Who is at highest risk:
- Organizations with MOVEit Automation's backend service port exposed to the internet or broad internal networks
- Enterprises using MOVEit Automation to store credentials for critical systems (banking APIs, healthcare data stores, government file repositories)
- Managed Service Providers (MSPs) running MOVEit Automation on behalf of multiple clients — a single compromise can cascade
- U.S. local and state government agencies (over a dozen confirmed internet-exposed instances at time of disclosure)
Not affected: MOVEit Transfer (a separate product) and MOVEit Cloud hosted environments managed directly by Progress are addressed through separate patching channels.
3. How to Detect It (Testing)
Confirming Exposure
Before testing for the vulnerability itself, determine whether your instance is even reachable from untrusted networks:
# Check if the MOVEit Automation backend port is externally reachable
# Replace <host> with your Automation server's hostname or IP
# Default backend port is typically 8443 or a custom port defined during install
nmap -sV -p 8443 <your-moveit-automation-host>
# Check if the management interface is indexed by public scanners
# Search Shodan for: product:"MOVEit Automation"
Manual Testing Steps
Step 1: Identify the backend service port Log into the MOVEit Automation admin console and navigate to System → Settings → Service Configuration to confirm the backend command port number.
Step 2: Check for unauthenticated response
# Send an unauthenticated probe to the backend interface
# A vulnerable system may return an unexpected 200 OK or service response
# rather than a 401/403 authentication challenge
curl -k -v "https://<host>:<backend-port>/api/v1/status" --max-time 10
On a patched system, this should return an explicit authentication error. On a vulnerable system, the response may differ in an exploitable way (unexpected 200, session token in response, service info leak).
Step 3: Inspect audit logs for anomalous access
- Navigate to Reports → Audit Log in the admin console
- Filter for authentication events, particularly any admin-level actions not tied to known administrator accounts
- Look for access from unexpected IP addresses to backend endpoints
Step 4: Check running version
# On the MOVEit Automation Windows server:
Get-ItemProperty "HKLM:\Software\Ipswitch\MOVEit Automation" | Select-Object Version
# Or check the About page in the admin UI
Automated Scanning
Using Tenable Nessus / Tenable.io:
- Plugin ID for CVE-2026-4670 will be available in the Tenable plugin feed — run an authenticated scan against the MOVEit Automation host
- Plugin family: Web Servers or CGI
- Search for
moveit automation 2026-4670in the plugin search interface
Using Qualys:
- QID for CVE-2026-4670 available post-May 5 feed update
- Run a scan profile targeting the Automation server with
Authentication: Windows CredentialsandService Detection: All Ports
Using Shodan to check internet exposure:
# Shodan search query (run from browser or API)
product:"MOVEit Automation" country:"US"
Code Review / Configuration Checklist
- Verify the backend command port is not reachable from untrusted networks (internet, guest VLANs)
- Confirm admin console access is restricted to known IP ranges (firewall ACL or WAF rules)
- Review stored task credentials — identify which systems would be exposed if an attacker gained admin access
- Check for any scheduled tasks with overly privileged service account credentials
- Audit all user accounts for unexpected recently created admin accounts
4. How to Fix It (Mitigation)
Step-by-Step Remediation
⚠️ Important: Progress Software has confirmed that upgrading to a patched release via the full installer is the only complete remediation. There is no hotfix or partial patch. The upgrade requires a planned outage.
Step 1: Plan the maintenance window The full installer upgrade requires MOVEit Automation to be offline during the process. Coordinate with stakeholders who depend on automated file transfers. Most installs complete in 30–60 minutes; budget more time for large task libraries.
Step 2: Back up the current installation
# Stop MOVEit Automation services before backup
Stop-Service "MOVEit Automation" -Force
# Back up the Automation database (SQL Server example)
Backup-SqlDatabase -ServerInstance "localhost\SQLEXPRESS" `
-Database "MOVEit_Automation" `
-BackupFile "C:\Backups\moveit-automation-$(Get-Date -Format 'yyyyMMdd').bak"
# Back up the installation directory
Compress-Archive -Path "C:\Program Files (x86)\Ipswitch\MOVEit Automation" `
-DestinationPath "C:\Backups\moveit-automation-install-$(Get-Date -Format 'yyyyMMdd').zip"
Step 3: Download the patched installer
- Log into the Progress Community Portal with your licensed account
- Navigate to Product Downloads → MOVEit Automation
- Download the full installer for your target version:
- 2024.1.8 if you are on the 2024.1.x branch
- 2025.0.9 if you are on the 2025.0.x branch
- 2025.1.5 if you are on the 2025.1.x branch
Step 4: Run the full installer
# Run as Administrator on the MOVEit Automation server
# Follow the installer wizard — it will detect the existing installation
# and perform an in-place upgrade
MOVEit_Automation_17.1.5_Installer.exe # example for 2025.1.5
Step 5: Verify the upgrade After the installer completes and services restart, confirm the new version:
Get-ItemProperty "HKLM:\Software\Ipswitch\MOVEit Automation" | Select-Object Version
# Should return 16.1.8, 17.0.9, or 17.1.5 depending on your branch
Step 6: Rotate stored credentials Even if no active exploitation is confirmed, treat any pre-patch period where the backend port was network-accessible as a potential window of compromise. Rotate credentials stored in MOVEit Automation tasks as a precaution:
- SFTP/FTP passwords
- Cloud storage API keys
- HTTP/HTTPS service account credentials
- Database connection strings
Interim Network Mitigation (While Patching)
If an immediate maintenance window is not possible, reduce exposure by restricting network access to the backend command port:
# Windows Firewall: block inbound access to backend port from non-admin subnets
# Replace 8443 with your actual backend port and 10.0.1.0/24 with your admin subnet
New-NetFirewallRule -DisplayName "Block MOVEit Backend - Untrusted" `
-Direction Inbound -Protocol TCP -LocalPort 8443 `
-RemoteAddress "0.0.0.0/0" -Action Block -Priority 100
New-NetFirewallRule -DisplayName "Allow MOVEit Backend - Admin Only" `
-Direction Inbound -Protocol TCP -LocalPort 8443 `
-RemoteAddress "10.0.1.0/24" -Action Allow -Priority 50
This is a temporary measure only — network restriction does not fix the underlying vulnerability and does not protect against insider threats or lateral movement.
Configuration Hardening
- Disable backend port internet exposure: Ensure the backend command port is never accessible from the internet. Place MOVEit Automation behind a VPN gateway.
- Admin UI access restriction: Whitelist allowed source IPs for the admin console in the web server configuration and upstream WAF/load balancer.
- Principle of least privilege for tasks: Audit all automation tasks and ensure service accounts used within tasks have only the minimum permissions required.
- MFA for admin accounts: Enable multi-factor authentication for all administrator accounts in MOVEit Automation's user management settings.
5. How to Test the Fix (Validation)
Regression Test Scenarios
Scenario A: Verify the authentication bypass is closed
After patching, attempt the same unauthenticated probe from Step 2 of the detection section. The patched system should return a proper 401 Unauthorized or 403 Forbidden for any request lacking valid authentication credentials.
Scenario B: Confirm normal admin authentication still works Log into the admin console with a valid administrator account using normal credentials. Confirm all scheduled tasks, configurations, and credentials are intact post-upgrade.
Scenario C: Validate privilege escalation is blocked (CVE-2026-5174) Attempt to access admin-level functionality with a restricted/read-only user account after patching. Confirm that restricted users cannot escalate their privileges via crafted input.
Scenario D: Confirm file transfers still execute correctly Run a representative sample of scheduled tasks to confirm the upgrade did not disrupt task execution, credential lookups, or transfer agent connectivity.
Security Test Cases
Test Case 1: Authentication bypass (CVE-2026-4670)
- Precondition: Patch applied (version 2024.1.8 / 2025.0.9 / 2025.1.5 or later)
- Steps: Send unauthenticated HTTP requests to the backend command port using the exploit pattern associated with CVE-2026-4670
- Expected Result: Server returns
401 Unauthorized; no session is established; audit log records failed authentication attempt from test IP
Test Case 2: Privilege escalation (CVE-2026-5174)
- Precondition: Patch applied; test account with restricted (non-admin) privileges created
- Steps: Authenticate as restricted user; send crafted input to the endpoint associated with privilege escalation
- Expected Result: Request is rejected or returns an authorization error; user's privilege level remains unchanged; no admin functions become accessible
Test Case 3: No regression on legitimate operations
- Precondition: Patch applied
- Steps: Run all production-representative automated tasks (SFTP push, API call, report generation)
- Expected Result: All tasks complete with same success rate as pre-patch baseline
Automated Validation Tests
import requests
import sys
# Replace with your MOVEit Automation host and backend port
MOVEIT_HOST = "https://your-moveit-automation-host:8443"
def test_auth_bypass_fixed():
"""
After patching, unauthenticated requests to the backend API
should return 401 or 403, never 200 or service data.
"""
try:
response = requests.get(
f"{MOVEIT_HOST}/api/v1/status",
verify=False,
timeout=10
)
if response.status_code in (401, 403):
print("[PASS] Auth bypass fixed: server returned", response.status_code)
return True
else:
print("[FAIL] Unexpected response:", response.status_code, "- may still be vulnerable")
return False
except requests.exceptions.ConnectionError:
print("[SKIP] Could not connect to backend port - check network access")
return None
if __name__ == "__main__":
result = test_auth_bypass_fixed()
sys.exit(0 if result else 1)
6. Prevention & Hardening
Best Practices
Practice 1: Network segmentation for MFT infrastructure MOVEit Automation should never be directly internet-accessible. Place the server behind a VPN concentrator or network perimeter firewall. Restrict inbound access to the admin console and backend port to a dedicated operations subnet only.
Practice 2: Credential vault integration Instead of storing credentials directly within MOVEit Automation tasks, integrate with an enterprise secrets manager (HashiCorp Vault, CyberArk, AWS Secrets Manager). This limits the blast radius of a compromised Automation instance — an attacker who bypasses auth gains session access but cannot trivially harvest plaintext credentials.
Practice 3: Regular patching cadence with emergency patch SLA Given MOVEit's history as a high-value ransomware target, establish a formal SLA: Critical CVSS ≥ 9.0 vulnerabilities in MFT infrastructure must be patched within 24–48 hours of vendor release. Run an automated version audit (see monitoring section) that alerts when the installed version falls below the current patched release.
Practice 4: Principle of least privilege for automation tasks Audit all task service accounts quarterly. Each account should have only the permissions required for its specific transfer operation — read-only where possible, scoped to specific directories/buckets, with no lateral access to other systems.
Practice 5: Immutable audit logging Forward MOVEit Automation audit logs to an external SIEM (Splunk, Sentinel, Elastic) in real time. Store logs in a write-once location that the Automation server itself cannot modify — this ensures post-compromise log integrity.
Monitoring & Detection
Set up the following alerts in your SIEM or log management platform:
# Alert: Admin action from non-admin account
source="moveit_automation" action="admin_*" user NOT IN admin_users_list → HIGH priority
# Alert: Authentication failure spike on backend port
source="moveit_automation" event="auth_failure" port=8443
count > 10 in 60 seconds → MEDIUM priority (brute force indicator)
# Alert: New admin account created
source="moveit_automation" action="create_user" role="administrator" → HIGH priority
# Alert: Credential object accessed outside of scheduled task window
source="moveit_automation" action="credential_access"
time NOT IN scheduled_task_windows → MEDIUM priority
# Alert: Task modified by non-owner
source="moveit_automation" action="task_modified"
modifier != task_owner → LOW/MEDIUM priority
Recommended detection tooling:
- SIEM integration: MOVEit Automation supports syslog output — configure syslog forwarding to your SIEM immediately
- File integrity monitoring: Monitor the Automation installation directory for unauthorized file changes (Tripwire, OSSEC, Wazuh)
- Network monitoring: Alert on any unexpected connections to the backend command port from IP addresses outside the approved admin subnet
References
- CVE-2026-4670 NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2026-4670
- CVE-2026-5174 Threat Intelligence: https://radar.offseq.com/threat/cve-2026-5174
- Progress Security Alert Bulletin (Official): https://community.progress.com/s/article/MOVEit-Automation-Critical-Security-Alert-Bulletin-April-2026-CVE-2026-4670-CVE-2026-5174
- BleepingComputer Coverage: https://www.bleepingcomputer.com/news/security/moveit-automation-customers-warned-to-patch-critical-auth-bypass-flaw/
- Help Net Security Analysis: https://www.helpnetsecurity.com/2026/05/04/critical-moveit-automation-auth-bypass-vulnerability-fixed-cve-2026-4670/
- Cybersecurity Dive: https://www.cybersecuritydive.com/news/moveit-vulnerabilities-authentication-bypass-privilege-escalation/819187/
- CCB Belgium Advisory: https://ccb.belgium.be/advisories/warning-critical-authentication-bypass-moveit-automation-cve-2026-4670-patch-immediately