~/home/news/critical-moveit-automation-auth-2026-05-07
newsThursday, May 7, 20268 min read👁 8 views

Critical MOVEit Automation Auth Bypass (CVE-2026-4670) Threatens Thousands of Deployments

Progress Software disclosed a critical authentication-bypass flaw (CVE-2026-4670) in MOVEit Automation, affecting versions prior to 2025.1.5, 2025.0.9 and 2024.1.8. Over 1,400 internet-exposed instances-incl. U.S. state and local agencies-remain unpatched, prompting urgent upgrades and mitigations.

CVE-2026-4670MOVEit AutomationAuthentication BypassCybersecurity

Overview/Introduction

On May 4, 2026 Progress Software released an advisory warning customers of a critical authentication-bypass vulnerability in its flagship Managed File Transfer (MFT) solution, MOVEit Automation. The flaw, catalogued as CVE-2026-4670, permits unauthenticated remote actors to gain full access to the automation engine without any user interaction. The advisory also bundled a high-severity privilege-escalation bug (CVE-2026-5174) that compounds the risk. Given MOVEit Automation’s role in orchestrating complex data pipelines across on-premises, cloud, and partner environments, the exposure is especially concerning for enterprises and government agencies that rely on it for sensitive data movement.

Technical Details

Both CVE identifiers affect the same code base but target distinct attack surfaces:

  • CVE-2026-4670 - Authentication Bypass: A flaw in the REST API authentication handler allows crafted HTTP requests to bypass the token validation routine. The bypass stems from an improper comparison of the Authorization header when the header is missing or malformed. When triggered, the server treats the request as coming from an authenticated service account, granting full administrative privileges over the automation engine.
  • CVE-2026-5174 - Privilege Escalation: An input-validation weakness in the job-scheduling module permits specially crafted XML payloads to overwrite internal configuration files. An attacker who already has limited user rights can leverage this to execute arbitrary commands as the service’s SYSTEM account.

The exploitation path for CVE-2026-4670 is low-complexity:

  1. Identify an internet-exposed MOVEit Automation instance (Shodan queries for "MOVEit Automation" on port 443).
  2. Send a GET request to /api/v1/jobs without an Authorization header or with a malformed token.
  3. The server erroneously returns a 200 OK response with the full job list, effectively authenticating the attacker.
  4. From there, the attacker can invoke any privileged API endpoint, including job creation, deletion, and credential retrieval.

Because the flaw resides in the core API layer, it is not mitigated by network-level ACLs once the service is reachable from the internet. The vulnerability is present in all MOVEit Automation releases prior to 2025.1.5, 2025.0.9, and 2024.1.8.

Impact Analysis

The impact is two-fold:

  • Data Confidentiality: Attackers can retrieve stored credentials, API keys, and files in transit, exposing trade secrets, personally identifiable information (PII), and regulated data.
  • Operational Disruption: Full control of the automation engine enables malicious actors to delete or re-schedule jobs, inject malicious scripts, or exfiltrate data en masse. In a ransomware scenario, the attacker could encrypt transferred files and demand payment.

According to a Shodan scan shared by security consultant Daniel Card, more than 1,400 MOVEit Automation instances are publicly reachable. Among those, at least a dozen belong to U.S. state and local governments-entities that routinely handle citizen data, tax records, and public-service workflows. The broader ecosystem includes over 3,000 enterprise customers and 100,000 users worldwide, meaning the attack surface is massive.

Timeline of Events

  • May 2, 2026 - Internal security testing at Progress discovers the authentication bypass during a routine code audit.
  • May 4, 2026, 08:18 AM (UTC) - Progress publishes advisory, releases patches for CVE-2026-4670 and CVE-2026-5174, and recommends immediate upgrades.
  • May 5, 2026 - Shodan data released by Daniel Card highlights >1,400 exposed instances, flagging several government deployments.
  • May 7, 2026 - No public evidence of active exploitation, but security teams across the sector begin emergency response drills.

Mitigation/Recommendations

Progress’s advisory states that the only reliable remediation** is to upgrade to the patched releases using the full installer**. However, organizations can adopt additional defensive layers while planning the upgrade:

  1. Immediate Network Isolation: Block inbound traffic to port 443 on any MOVEit Automation host that does not require external access. Use firewalls or cloud security groups to restrict source IP ranges.
  2. Web Application Firewall (WAF) Rules: Deploy a rule that rejects any API request missing a valid Authorization header. While not a full fix, it reduces the noise of unauthenticated probes.
  3. Credential Rotation: Assume that stored credentials may have been compromised. Rotate API keys, service accounts, and any passwords used in automated jobs.
  4. Log Monitoring: Enable detailed API request logging and set alerts for anomalous activity such as bulk job enumeration or unexpected job creation.
  5. Patch Deployment: Schedule a maintenance window, apply the full installer for the latest version (2025.1.5 or later), and verify service health post-upgrade. Expect a brief outage during the upgrade process.
  6. Incident Response Playbook: Prepare a playbook that includes containment steps (network block), forensic data collection (API logs, job definitions), and communication protocols for notifying stakeholders and regulators.

Real-World Impact

For organizations that rely on MOVEit Automation to move financial statements, health records, or government filings, a successful exploitation could result in:

  • Massive data breaches exposing PII and regulated information, triggering GDPR, HIPAA, or state-level breach notification obligations.
  • Disruption of critical business processes-e.g., payroll, tax filing, or supply-chain data exchanges-leading to operational downtime and financial loss.
  • Potential ransomware extortion: attackers could encrypt files during transfer, leveraging the automation engine’s privileged access to propagate ransomware across connected systems.

Given the historical precedent of MOVEit Transfer being weaponized by the Clop ransomware gang in 2023, the industry should treat this as a high-risk scenario even before any public exploits are observed.

Expert Opinion

As a senior cybersecurity analyst, I see CVE-2026-4670 as a textbook example of why “automation-first” architectures must be designed with zero-trust principles from day one. MOVEit Automation’s API-centric design is powerful, but the lack of rigorous authentication checks creates a single point of failure that can be weaponized at scale.

The fact that over a thousand instances are exposed on the public internet highlights a broader cultural issue: many organizations deploy MFT solutions without proper segmentation, assuming the vendor’s “enterprise-grade” label equates to inherent security. This mindset is dangerous, especially when the software sits at the nexus of internal and external data flows.

From an industry perspective, we can expect two immediate trends:

  1. Accelerated Patch Adoption: Enterprises that have historically delayed MFT upgrades will now fast-track their patch cycles, driven by board-level risk assessments.
  2. Increased Demand for Managed MFT Services: Organizations lacking in-house expertise may turn to Managed Security Service Providers (MSSPs) to handle the upgrade, monitoring, and hardening of MOVEit Automation deployments.

Long-term, vendors must embed stronger defense-in-depth controls-such as mandatory mutual TLS, token-binding, and anomaly-based API throttling-to mitigate similar authentication bypasses. Until then, the onus remains on customers to enforce network segmentation, practice diligent patch management, and continuously monitor for suspicious API activity.