Authentication Bypass Vulnerability
Progress Software has issued urgent security patches for its MOVEit Automation file transfer solution after researchers discovered a critical authentication bypass. The flaw, tracked as CVE-2026-4670, carries a CVSS score of 9.8 and allows attackers to bypass login controls through the service backend command port interfaces. This vulnerability could grant unauthorized actors complete administrative control over affected systems without needing any credentials.
Privilege Escalation and Impact
A second vulnerability, CVE-2026-5174 (CVSS 7.7), involves improper input validation that could allow an attacker to escalate privileges once they have some level of access. Airbus SecLab researchers Anais Gantet, Delphine Gourdou, Quentin Liddell, and Matteo Ricordeau reported both flaws. Progress Software warns that exploitation may lead to unauthorized data exposure and administrative takeover. Versions MOVEit Automation 2025.1.4, 2025.0.8, and 2024.1.7 are affected, with the fixes included in versions 2025.1.5, 2025.0.9, and 2024.1.8 respectively.
Urgency for Patching
Although no active exploitation has been reported, Progress strongly urges immediate patching. The company previously saw its MOVEit Transfer product exploited by the Cl0p ransomware gang, which used similar vulnerabilities to compromise thousands of organizations. No workarounds exist for these flaws, making the official updates the only defense against potential attacks targeting enterprise file transfer workflows.
Source: Thehackernews
