Progress Software has released an update that addresses two security flaws in MOVEit Automation, including a critical bug that could lead to authentication bypass.
MOVEit Automation (formerly Central) is a secure, server-based managed file transfer (MFT) solution used to schedule and automate file movement workflows in enterprise environments without the need for custom scripts.
The vulnerabilities in question are CVE-2026-4670 (CVSS score: 9.8), an authentication bypass vulnerability, and CVE-2026-5174 (CVSS score: 7.7), an improper input validation vulnerability that allows privilege escalation.
“A severe and advanced vulnerability in MOVEit Automation could allow authentication bypass and/or privilege escalation via the service backend’s command port interface,” Progress Software said in an advisory. “Misuse can lead to unauthorized access, administrative control, and data leaks.”
This shortcoming affects the following versions:
MOVEit Automation <= 2025.1.4 (Fixed in MOVEit Automation 2025.1.5) MOVEit Automation <= 2025.0.8 (Fixed in MOVEit Automation 2025.0.9) MOVEit Automation <= 2024.1.7 (Fixed in MOVEit Automation 2024.1.8)
Airbus SecLab researchers Anaïs Gantet, Delphine Gourdou, Quentin Liddell, and Matteo Ricordeau are credited with discovering and reporting the two vulnerabilities. There are no workarounds to resolve the issue.
Although Progress did not mention which flaws are being exploited in the wild, it is important for users to apply the fix as soon as possible for optimal protection, especially given that previous flaws in MOVEit Transfer have been exploited by ransomware gangs like Cl0p.
Source link
