PROGRESS Software has fixed two vulnerabilities in MOVEit Automation, a critical authentication bypass flaw tracked as CVE-2026-4670 and a privilege escalation issue tracked as CVE-2026-5174, which, if exploited, could allow attackers to gain unauthorized access or elevate privileges. MOVEit Automation is an enterprise managed file transfer solution used to move, schedule, and automate file transfers between systems, applications and partners. According to the advisory, no workarounds are available.
The flaws affect MOVEit Automation versions <= 2025.1.4, <= 2025.0.8 and <= 2024.1.7, and were discovered and reported by Airbus SecLab researchers Anaïs Gantet, Delphine Gourdou, Quentin Liddell and Matteo Ricordeau.
The article notes that flaws of this kind can be weaponised quickly and at scale once discovered, and that a working exploit can enable mass access across many systems, a pattern seen in past campaigns such as the Cl0p group’s MOVEit-related attacks in 2023, which impacted about 1,000 organisations and 60,144,069 individuals.