PROGRESS Software has released updates to address two security flaws in MOVEit Automation, including a critical vulnerability that could enable authentication bypass. According to Progress Software, the flaws are CVE-2026-4670 (CVSS 9.8) and CVE-2026-5174 (CVSS 7.7), the former being an authentication bypass and the latter an improper input validation that could allow privilege escalation.
The advisory states that “Critical and high vulnerabilities in MOVEit Automation may allow authentication bypass and privilege escalation through the service backend command port interfaces,” and that exploitation may lead to unauthorized access, administrative control, and data exposure. The affected versions include MOVEit Automation <= 2025.1.4 (fixed in 2025.1.5), <= 2025.0.8 (fixed in 2025.0.9), and <= 2024.1.7 (fixed in 2024.1.8).
Airbus SecLab researchers Anaïs Gantet, Delphine Gourdou, Quentin Liddell, and Matteo Ricordeau are credited with discovering and reporting the two vulnerabilities. There are no workarounds, and despite no reported exploitation in the wild, users are urged to apply the fixes promptly given past MOVEit flaws being referenced for ransomware campaigns.