Security Intelligence
Loading table of contents...
At a glance: Progress Software has disclosed a critical authentication bypass vulnerability in MOVEit Automation that enables unauthenticated, low-complexity remote access. Because the platform is widely used to transfer sensitive business data and is often internet-facing, the flaw creates a direct risk of unauthorized access and downstream compromise. While no active exploitation has been confirmed, similarities to past MOVEit attacks and the presence of legacy and end-of-life deployments increase the potential operational impact.
Threat summary
On May 4, 2026, Progress Software disclosed a critical vulnerability in MOVEit Automation, an enterprise managed file transfer (MFT) automation platform commonly deployed as an internet-facing service.
MOVEit Automation is the workflow and scheduling component used to automate and monitor data exchanges such as payroll files, financial transactions, partner integrations, and operational exports across heterogeneous environments.
The vulnerability, tracked as CVE-2026-4670, carries a CVSS v3.1 base score of 9.8 and allows unauthenticated, low-complexity remote access by bypassing authentication controls without user interaction or prior privileges.
In a worst-case scenario, adversaries could gain administrative control over MOVEit Automation, access credentials embedded in automation tasks, exfiltrate transferred data, or use the system as a pivot into connected enterprise environments.
The flaw affects MOVEit Automation versions:
- 2025.1.4 (17.1.4) and earlier
- 2025.0.8 (17.0.8) and earlier
- 2024.1.7 (16.1.7) and earlier up to 2025.1.4, 2025.0.8, and 2024.1.7.
As of May 4, Progress Software reported no confirmed active exploitation and no public proof-of-concept exploit.
Analysis
MOVEit Automation is widely deployed in enterprise environments to schedule and automate file transfers without custom scripting. It shares architectural lineage with MOVEit Transfer, which was exploited at scale in 2023 by the Cl0p ransomware group.
While there is no evidence that threat actors are currently targeting this vulnerability, the historical precedent for rapid exploitation of MOVEit-related flaws increases operational risk. Because the flaw is remotely exploitable with low complexity and no authentication, exploitation difficulty is low.
Progress states that “upgrading to a patched release, using the full installer, is the only way to remediate this issue” for CVE-2026-4670, indicating that the vulnerability affects core application components rather than a single configuration setting or optional module. The full installer is the only supported method for reliably replacing the vulnerable authentication components; skipping this process leaves the system vulnerable, regardless of other changes. Note that this step requires taking the service offline during the upgrade and results in temporary interruption of automated file-transfer workflows.
Fixed releases were made available on April 30, 2026, with remediation requiring an upgrade to versions 2025.1.5, 2025.0.9, or 2024.1.8.
MOVEit Automation was previously known as “MOVEit Central” and later “Ipswitch MOVEit Central” prior to the Progress Software acquisition. Older deployments may still reference the legacy Central branding in documentation, internal inventories, or configuration paths. This legacy is relevant because long-running automation environments are often upgraded in place rather than rebuilt, allowing older components or configurations to persist across versions.
As a result, organizations may retain overlooked or unpatched instances. Verifying that no legacy MOVEit Central or Ipswitch MOVEit Central systems remain in production environments reduces the risk of missed vulnerable assets.
Prioritizing asset discovery to identify exposed MOVEit Automation instances and validating patch status across customer environments helps reduce residual risk while patching activities are underway.
If MOVEit Automation was reachable from the internet, affected organizations would also benefit from reviewing MOVEit Automation audit logs for signs of unexpected access, privilege changes, or anomalous task execution.
Restricting network access to administrative interfaces, segmenting managed file transfer systems, and maintaining continuous review of vendor advisories on managed file transfer platforms further reduces operational risk.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
