MOVEit Automation CVE-2026-4670: Unauthenticated Auth Bypass on the MFT Engine 1,400+ Customers Run

Introduction

Progress Software has shipped emergency patches for CVE-2026-4670, a CVSS 9.8 unauthenticated authentication bypass in MOVEit Automation, the workflow engine that schedules and orchestrates managed file transfers across MOVEit Transfer fleets. The bug, found by Airbus researchers on the service's backend command-port interface, lets a remote unauthenticated attacker reach the administrative surface that controls every automated transfer the platform runs. There are over 1,400 internet-exposed MOVEit Automation instances, including ones tied to U.S. state and local government — a profile that exactly matches the target list ransomware actors went after the last time Progress had a critical MOVEit advisory in 2023.

What Happened

MOVEit Automation, formerly known as MOVEit Central, is the scheduler-and-script layer that sits next to MOVEit Transfer servers and drives recurring jobs: "pull this file from this SFTP host every hour, run this transformation, push it to this S3 bucket, notify this team." Because that role demands network reach into both internal and partner systems, an Automation server tends to hold credentials, certificates, and connection profiles for half the file-movement plumbing of a typical enterprise.

Per Progress's advisory, CVE-2026-4670 is a CWE-305 "authentication bypass by primary weakness" in Automation's service backend command-port interface. CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H translates plainly to "any network-reachable attacker, no credentials, no user clicks, full impact." Affected versions are MOVEit Automation 2025.0.0 before 2025.0.9, 2024.0.0 before 2024.1.8, and everything earlier than 2024.0.0. The fixes are 2025.1.5, 2025.0.9, and 2024.1.8; Progress notes the only supported remediation is the full installer, which means downtime, not a hot patch.

The bug was reported privately and Progress says there is no known exploitation in the wild as of disclosure. That window does not stay open long for MOVEit-branded vulnerabilities. The 2023 MOVEit Transfer SQL injection that fed Cl0p's mass exfiltration campaign was first abused within days of public disclosure, and the same actor families have continued to keep a watching brief on the Progress portfolio.

Why It Matters

An auth bypass on the orchestration plane of an MFT product is uniquely valuable to an attacker. With administrative access to MOVEit Automation, you do not need to break the transfer protocol, exploit a fileshare, or phish an operator — you can simply create a new task that copies whatever the platform already has read access to into a destination you control, and the task will run on the next scheduler tick using legitimate credentials. There is no malware, no agent, and the activity blends straight into normal scheduled-job logs.

Censys and Shadowserver telemetry put the public-facing footprint at more than 1,400 instances, with at least a dozen tied to U.S. local and state governments. Any of those that are still on a vulnerable build is currently a five-figure-record breach waiting to happen. Even instances that are "internal-only" deserve the same urgency: post-perimeter compromise via a phished VPN account or a compromised contractor laptop puts the same internal Automation surface within reach.

Who Is Affected

• MOVEit Automation 2024.0.0 through 2024.1.7 — patch to 2024.1.8.
• MOVEit Automation 2025.0.0 through 2025.0.8 — patch to 2025.0.9.
• MOVEit Automation 2025.1.x prior to 2025.1.5 — patch to 2025.1.5.
• All MOVEit Automation versions prior to 2024.0.0 — currently unsupported and remain vulnerable; upgrade or decommission.
• Indirectly, every MOVEit Transfer server, partner SFTP endpoint, S3 bucket, and database the Automation instance has a connection profile for, since takeover of Automation pivots into all of them.

How to Protect Yourself

The only supported fix is a full-installer upgrade, so plan a maintenance window today and run the upgrade end-to-end:

# inventory: identify Automation hosts and current versions
Get-Service -Name 'MOVEitAutomation*' -ComputerName auto-host01 |
  Select-Object MachineName, Name, Status, StartType
(Get-Item 'C:\Program Files\MOVEit Automation\MIAutomationService.exe').VersionInfo |
  Select-Object FileVersion, ProductVersion

# pull the matching full installer for your branch from Progress's portal
# (versions: 2024.1.8, 2025.0.9, 2025.1.5 — match your existing branch)

# stop the service before upgrading
Stop-Service -Name MOVEitAutomation, MOVEitAutomationFileWatcher -Force

# run the full installer (silent example)
Start-Process -Wait -FilePath 'C:\install\MOVEitAutomation_2025.0.9.exe' `
  -ArgumentList '/quiet','/norestart','REINSTALL=ALL','REINSTALLMODE=vomus'

# restart and confirm version
Start-Service MOVEitAutomation, MOVEitAutomationFileWatcher
(Get-Item 'C:\Program Files\MOVEit Automation\MIAutomationService.exe').VersionInfo.FileVersion

While you are inside that maintenance window, take the opportunity to harden the management surface that this CVE just demonstrated is one bug away from open:

# bind the management UI and command port to localhost or a tightly scoped admin VLAN
# (registry values vary by version — check Progress's hardening guide for your release)
# example for the admin web UI on default install:
netsh advfirewall firewall add rule name="MOVEit Automation Admin" `
  dir=in action=allow protocol=TCP localport=8443 remoteip=10.10.50.0/24
netsh advfirewall firewall add rule name="MOVEit Automation Admin Block" `
  dir=in action=block protocol=TCP localport=8443

Hunt for prior compromise. The advisory says no known in-the-wild use yet, but a quiet auth bypass is exactly the kind of thing an actor sits on. The two highest-value places to look are unexpected admin logins to Automation itself and unexpected new tasks:

# Audit log: any non-baseline source IPs hitting the admin endpoint over the past 60 days
Get-WinEvent -LogName 'MOVEit Automation' -MaxEvents 5000 |
  Where-Object { $_.Message -match 'login|admin|task created|task modified' } |
  Select-Object TimeCreated, Id, Message |
  Out-GridView

# Compare current task list against last known-good export
# (Automation has an export-tasks function; diff against a backup from before the patch window)
Get-MOVEitAutomationTask | Sort-Object Name | Export-Csv .\tasks-now.csv -NoTypeInformation
diff (Import-Csv .\tasks-known-good.csv) (Import-Csv .\tasks-now.csv) | Format-Table -AutoSize

If the box was internet-reachable for any portion of the exposure window and your audit log is incomplete, treat all credentials, certificates, API keys, and connection profiles stored in Automation as compromised: rotate every one, then rotate the secrets on every endpoint those profiles authenticate to. That is a lot of work; it is also exactly what made the 2023 MOVEit incident so painful for the organisations that did not start it on day one.

For the broader fleet, this is the prompt to make sure MOVEit Automation is not internet-reachable in the first place. There is no documented use case for exposing the admin command port to the public internet — Censys finds 1,400 of them anyway. Front it with a VPN or zero-trust gateway and use Shadowserver's free daily report to confirm your IP space stays clean.

Source

• https://www.helpnetsecurity.com/2026/05/04/critical-moveit-automation-auth-bypass-vulnerability-fixed-cve-2026-4670/
• https://www.bleepingcomputer.com/news/security/moveit-automation-customers-warned-to-patch-critical-auth-bypass-flaw/
• https://thehackernews.com/2026/05/progress-patches-critical-moveit.html
• https://nvd.nist.gov/vuln/detail/CVE-2026-4670