Progress Software program has launched updates to deal with two security flaws in MOVEit Automation, together with a vital bug that might end in an authentication bypass.
MOVEit Automation (previously Central) is a safe, server-based managed file switch (MFT) answer used to schedule and automate file motion workflows in enterprise environments with out requiring any customized scripts.
The vulnerabilities in query are CVE-2026-4670 (CVSS rating: 9.8), an authentication bypass vulnerability, and CVE-2026-5174 (CVSS rating: 7.7), an improper enter validation vulnerability that might enable privilege escalation.
“Important and excessive vulnerabilities in MOVEit Automation could enable authentication bypass and privilege escalation by way of the service backend command port interfaces,” Progress Software program stated in an advisory. “Exploitation could result in unauthorized entry, administrative management, and information publicity.”
The shortcomings have an effect on the next variations –
- MOVEit Automation <= 2025.1.4 (Mounted in MOVEit Automation 2025.1.5)
- MOVEit Automation <= 2025.0.8 (Mounted in MOVEit Automation 2025.0.9)
- MOVEit Automation <= 2024.1.7 (Mounted in MOVEit Automation 2024.1.8)
Airbus SecLab researchers Anaïs Gantet, Delphine Gourdou, Quentin Liddell, and Matteo Ricordeau have been credited with discovering and reporting the 2 vulnerabilities. There are not any workarounds that resolve the problems.
Whereas Progress makes no point out of the issues being exploited within the wild, it is important that customers apply the fixes as quickly as attainable for optimum safety, significantly provided that prior flaws in MOVEit Switch have been exploited by ransomware gangs like Cl0p.
