CVE-2026-4670: Critical MOVEit Automation Authentication Bypass Exposes MFT Servers

CVE-2026-4670 is a CVSS 9.8 authentication bypass in Progress Software MOVEit Automation that lets an unauthenticated remote attacker circumvent the platform’s credential checks and access administrative functions without a valid account. All MOVEit Automation versions up to and including 2025.1.4, 2025.0.8, and 2024.1.7 are vulnerable; patched releases were published April 30, 2026, and no workaround exists — an upgrade using the full installer is the only fix.

// 01 CVE-2026-4670: Technical Details

The vulnerability is classified as CWE-305 — Authentication Bypass by Primary Weakness — a class of flaw where the authentication mechanism itself fails to enforce the requirement. In MOVEit Automation’s case, a specially crafted request satisfies the system’s credential check without supplying valid credentials, granting the attacker access at the authentication level the request targets.

The full CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — network-accessible, low complexity, no privileges required, and no user interaction needed. Successful exploitation yields full confidentiality, integrity, and availability impact. Airbus SecLab researchers discovered and reported both vulnerabilities covered in the Progress advisory.

The same bulletin covers a second flaw, CVE-2026-5174, a privilege escalation vulnerability that allows an already-authenticated attacker to elevate to administrative privileges. Chained, CVE-2026-4670 and CVE-2026-5174 create a complete unauthenticated-to-admin attack path.

// 02 Exploitation Status and Threat Landscape

No public proof-of-concept exploit for CVE-2026-4670 has been released at time of writing, and Progress Software reports no confirmed active exploitation. CVE-2026-4670 is not yet listed in the CISA Known Exploited Vulnerabilities catalog.

That context matters less than MOVEit’s exploitation history. In May 2023, the Cl0p ransomware group weaponized a zero-day SQL injection in MOVEit Transfer (CVE-2023-34362) within days of public disclosure, ultimately breaching over 2,000 organizations, extracting payroll records, health data, and government files at scale. MOVEit Automation and MOVEit Transfer share architectural DNA, and the Cl0p playbook — mass-scan, exploit immediately, exfiltrate before patches deploy — is documented and repeatable.

CVSS 9.8 with no authentication on a platform that routinely handles payroll data, HR records, financial transfers, and regulated healthcare files makes this a patch-before-anything-else priority regardless of exploitation status.

// 03 Who Is Affected

The following MOVEit Automation versions contain CVE-2026-4670:

• 2025.1.x: all releases up to and including 2025.1.4
• 2025.0.x: all releases up to and including 2025.0.8
• 2024.1.x: all releases up to and including 2024.1.7
• 2024.0.x and earlier: all versions prior to the 2024.1 track

MOVEit Automation is predominantly deployed on-premises in enterprise environments. Financial services, healthcare, government contractors, and logistics operators use it to automate file transfer workflows between internal systems and external partners — making a compromise here a high-volume data exfiltration event by design.

// 04 What You Should Do Right Now

• Upgrade immediately. Apply the patched release for your version track using the full installer from Progress:
• 2025.1.x → upgrade to 2025.1.5
• 2025.0.x → upgrade to 2025.0.9
• 2024.1.x → upgrade to 2024.1.8

• Restrict network access now. If patching is delayed, firewall the MOVEit Automation web interface and API to known management IP ranges. Do not leave the administrative interface accessible from the internet.

• Identify your installed version. Confirm which version runs on each host before patching:

Get-ItemProperty "HKLM:SOFTWAREProgress SoftwareMOVEit Automation" | Select-Object DisplayVersion, InstallLocation

• Audit authentication logs for anomalies. Look for unauthenticated or null-user sessions in MOVEit Automation’s audit log prior to applying the patch:

SELECT event_time, source_ip, user_id, action
FROM audit_log
WHERE user_id IS NULL OR auth_result != 'SUCCESS'
ORDER BY event_time DESC
LIMIT 500;

• Review automation task credentials. MOVEit Automation stores SFTP, FTP, and API credentials for connected systems. If exploitation occurred, assume all stored credentials are compromised and rotate them immediately after patching.

// 05 Conclusion

CVE-2026-4670 is a CVSS 9.8 authentication bypass in Progress Software MOVEit Automation with no public patch-free mitigation — upgrade to 2025.1.5, 2025.0.9, or 2024.1.8 using the full installer today. Given that MOVEit products are a documented mass-exploitation target, treating this as a P0 patch is the only defensible posture before exploitation evidence emerges.