Patch MOVEit Now Before It Becomes 2023 All Over Again
A 9.8 unauthenticated authentication bypass and a 7.7 privilege escalation flaw in MOVEit Automation chain to full administrative control. Patch this week. Upgrading via the full installer is the only fix — there is no workaround. The product family is the same one Cl0p exploited to breach 2,100 organizations in 2023.
Progress Software disclosed two critical vulnerabilities in MOVEit Automation on April 30, 2026. CVE-2026-4670 is an unauthenticated authentication bypass with a CVSS 9.8 score (CWE-305, Authentication Bypass by Primary Weakness). CVE-2026-5174 is a post-authentication privilege escalation with a CVSS 7.7 score (CWE-20, Improper Input Validation). Together, the two flaws create a chain from anonymous network access to full administrative control of MOVEit Automation instances. Both reside in the product's "service backend command port interfaces."
The single most important fact: this is the same MOVEit product family — though a different product — that Cl0p exploited in 2023 to breach 2,100 organizations and an estimated 62 million individuals (per Emsisoft figures cited by BleepingComputer). Patches are available, no in-the-wild exploitation has been reported as of this writing, and approximately 1,400 MOVEit Automation instances are exposed online per Shodan data, with more than a dozen tied to U.S. local and state government agencies. Progress is unambiguous on remediation: "Upgrading to a patched release, using the full installer, is the only way to remediate this issue. There will be an outage to the system while the upgrade is running."
| MOVEit Automation Vulnerability Profile | |
|---|---|
| Detail | Information |
| CVE-2026-4670 | CVSS 9.8 (Critical); CWE-305 Authentication Bypass; vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2026-5174 | CVSS 7.7 (High); CWE-20 Improper Input Validation; post-authentication privilege escalation; vector AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H |
| Affected versions | MOVEit Automation ≤ 2025.1.4, ≤ 2025.0.8, ≤ 2024.1.7, all versions prior to 2024.0.0 |
| Patched versions | 2025.1.5, 2025.0.9, 2024.1.8 |
| Affected component | Service backend command port interfaces |
| Discovered by | Airbus SecLab researchers Anaïs Gantet, Delphine Gourdou, Quentin Liddell, Matteo Ricordeau (private disclosure) |
| Exposed instances (Shodan) | ~1,400 MOVEit Automation instances online; 12+ tied to U.S. local and state government agencies (per PwnDefend's Daniel Card) |
| In-the-wild exploitation | None reported as of disclosure; no public PoC at time of writing |
| Disclosed | April 30, 2026 |
The Chain: Anonymous Network Access to Full Administrative Control
The two flaws are designed to be read together. CVE-2026-4670 lets an unauthenticated remote attacker bypass authentication on MOVEit Automation's service backend command port — the interface that orchestrates file-transfer workflows. Once authenticated, CVE-2026-5174 lets that attacker escalate to administrative privileges via improper input validation. The result, as Help Net Security summarized, is a path from "no credentials" to "full administrative control" that gives access to credentials stored in MOVEit Automation tasks, sensitive business data flowing through workflows (reports, payroll, financial files), and a foothold into the wider enterprise network.
Progress's advisory carefully avoids technical specifics. The Airbus SecLab researchers who reported the flaws privately have not published a proof-of-concept. As of disclosure, neither the vendor nor the researchers have released the underlying weakness in a way that would aid mass exploitation. That window — between disclosure and public PoC — is the patch window defenders have. It typically closes faster than expected.
The 2023 Cl0p Anchor and Why This Product Family Carries History
MOVEit Automation is not the same product Cl0p exploited in 2023, but it is part of the same product family. The 2023 campaign targeted MOVEit Transfer — the secure file-transfer server — through CVE-2023-34362, a SQL injection flaw that allowed remote code execution. MOVEit Automation, by contrast, is the workflow and scheduling engine that orchestrates file movements between MOVEit Transfer servers, cloud platforms, and third-party vendors. The two products live in the same enterprise environments and frequently sit on the same network segments.
The Cl0p campaign affected approximately 2,100 organizations and an estimated 62 million individuals, according to Emsisoft estimates cited by BleepingComputer, making it one of the largest single-CVE breach events on record. The pattern that emerged then — managed file transfer (MFT) products being attractive targets because of the volume of sensitive data flowing through them, and ransomware operators racing to mass-exploit before patches roll out — is the pattern defenders should expect to see again if a public PoC for CVE-2026-4670 appears.
What "No Workaround" Actually Means
Progress's language on remediation is striking for what it does not offer. There is no configuration change that mitigates the vulnerability. There is no firewall rule that meaningfully reduces risk against a determined attacker. There is no temporary patch. The only fix is upgrading via the full installer to one of the patched versions: 2025.1.5, 2025.0.9, or 2024.1.8. Customers running versions older than 2024.0.0 must upgrade to a supported branch — there is no backported fix for those.
The Centre for Cybersecurity Belgium (CCB) recommends a compensating control for organizations that cannot patch immediately: restrict network access to MOVEit Automation, especially from the internet. That is not a remediation — it is a temporary risk reduction. Progress confirms there will be a service outage during the upgrade, which means scheduling the patch is a coordination problem, not just an IT operations one. Verify the upgrade via Web Admin → Help → About; do not rely on automated upgrade telemetry alone.
Customers with active maintenance contracts can download the upgrade via the Progress Community portal. Beazley Security, in its own advisory, classified the threat as warranting immediate patching given the product's history of being targeted. Our broader vulnerability coverage tracks the post-disclosure exploitation cycle when these patterns develop.
Defender Actions for This Week
- Patch this week, not this quarter. Upgrade MOVEit Automation to the matching patched branch (2025.1.5, 2025.0.9, or 2024.1.8). Schedule the outage now — Progress confirms there is no zero-downtime path. Verify the upgraded version via Web Admin → Help → About.
- If patching this week is genuinely impossible, restrict network access to MOVEit Automation immediately. Block the service backend command port at the perimeter; allow only known internal IPs; document the compensating control in your change-management system. The CCB Belgium advisory specifically endorses this temporary measure.
- Hunt for prior compromise. Patching does not remediate historical compromise. Review MOVEit Automation audit logs for at least the past 30 days, looking for: unexpected privilege escalations on standard user accounts, successful logins from unfamiliar source IPs, anomalous activity on service backend interfaces, and unexpected task creation, modification, or credential access.
- Brief leadership on third-party-data exposure risk. MOVEit Automation tasks contain stored credentials and orchestrate data movement; compromise gives access to credentials and to whatever sensitive data flows through the automation. If your workflows handle financial, payroll, or customer data, escalate to legal and compliance now and put a regulatory-notification readiness check on the calendar in case scope expands.
- If you operate in U.S. local or state government — twelve-plus of the exposed Shodan-indexed instances are in your sector — coordinate with your state CISO and CISA's regional team. The exposure pattern is concentrated enough that targeted outreach is likely already underway.
The CyberSignal Analysis
Signal 01 — The patch window is the disclosure window
Progress did the responsible thing: private disclosure to a researcher, coordinated patching, careful advisory language that avoids technical specifics. That gives defenders a window — typically days to a few weeks — before a public PoC appears or attackers reverse-engineer the patch. The 2023 Cl0p campaign is the precedent that should inform timing. By the time Progress disclosed the original MOVEit Transfer flaw, Cl0p had already been exploiting it for weeks. There is no evidence that pattern is repeating here, but defenders who treat "no exploitation reported" as a reason to wait until next quarter will look like the organizations that learned about Cl0p when their data appeared on a leak site.
Signal 02 — MFT products are now a recurring target class, not an incident class
Progress, Cleo, Fortra GoAnywhere, Accellion, SolarWinds Serv-U — managed file transfer products have produced consistent mass-exploitation events for the last five years. The structural reason is simple: MFT products sit on the network perimeter, hold credentials and tasks for downstream systems, and process exactly the data attackers want (financial, payroll, customer, third-party). Defenders should treat MFT instances as crown-jewel-adjacent infrastructure: dedicated patching SLAs, dedicated monitoring, network segmentation that limits blast radius. If your organization has not done a top-to-bottom MFT inventory in the last 12 months, the MOVEit Automation disclosure is the prompt.
Signal 03 — The 1,400 exposed instances are the practical risk surface
Daniel Card's Shodan data — 1,400 MOVEit Automation instances exposed online, 12-plus tied to U.S. local and state governments — is the concrete risk the next 30 days hinges on. Not all of those instances are vulnerable; some have already patched, some have configurations that limit exposure. But the population of internet-reachable MOVEit Automation instances is the population from which any mass-exploitation campaign would draw. State and local governments running file-transfer workflows for benefits administration, public records, or vendor integrations are particularly worth flagging — these are precisely the data flows that attract ransomware operators with extortion playbooks tailored to public sector pressure.
