CRITICAL: Progress MOVEit Automation Hit by 9.8 Auth Bypass With No Workaround

If you ever wondered whether Progress Software was going to get a quiet 2026, the answer arrived on May 4 in the form of two fresh CVEs in MOVEit Automation, including a 9.8 unauthenticated authentication bypass with no workaround. Anyone who lived through the Cl0p ransomware crew's 2023 demolition of MOVEit Transfer is reading this with a familiar tension headache, and rightly so. The product line is different, the bug is different, and the attackers haven't started swinging yet, but the deployment footprint and the blast radius look uncomfortably similar.

The headline flaw is CVE-2026-4670, a critical authentication bypass tracked at CVSS 9.8 and reported by a team at Airbus SecLab consisting of Anaïs Gantet, Delphine Gourdou, Quentin Liddell, and Matteo Ricordeau. Progress describes it in the blandest possible language as a flaw that may allow authentication bypass and privilege escalation through the service backend command port interfaces, which translates from corporate advisory English into something more direct. An unauthenticated remote attacker can talk to the service backend and gain administrative access without supplying valid credentials. Attack complexity is rated low, no privileges are required, and no user interaction is needed. In CVSS-vector terms it is the worst-case shape of a remote vulnerability, the kind of finding that ends up in CISA's Known Exploited Vulnerabilities catalog within weeks once any half-competent ransomware affiliate writes a stable exploit.

Riding alongside it is CVE-2026-5174, an improper input validation issue rated CVSS 7.7 that enables privilege escalation. On its own a 7.7 doesn't usually drop everything in your week, but chained behind a pre-auth bypass it gives an attacker a clean path from outside the perimeter to owning the orchestration plane that schedules your file transfers. That second part matters more than people realize because MOVEit Automation isn't a passive file mover. It is the workflow engine that sequences transfers, runs scripts on payloads, calls APIs, archives data, and integrates with downstream systems. Compromise it and you don't just get the files in flight, you get the keys to whatever the automation jobs touch.

The vulnerable releases are MOVEit Automation 2025.1.4 and earlier, 2025.0.8 and earlier, and 2024.1.7 and earlier. Progress shipped fixes in 2025.1.5, 2025.0.9, and 2024.1.8, available through the full installer rather than an in-place patch. The advisory is explicit that no workarounds exist, which is unusually candid language for a vendor and should be read as a polite way of saying that network controls in front of the service may help but won't actually close the hole. Upgrade is the only remediation, and given that the bug lives in the backend command port interfaces, simply firewalling off the web admin UI or restricting the management console doesn't address the attack surface that researchers actually walked through.

There is no confirmed exploitation in the wild as of publication, and the security community is in that uneasy gap between disclosure and weaponization that defines roughly the first month of any pre-auth RCE-class bug in an enterprise file transfer product. History strongly suggests that gap closes faster every cycle. The 2023 MOVEit Transfer SQL injection, CVE-2023-34362, went from disclosure to mass exploitation by the Cl0p group within days and produced one of the largest data theft campaigns in recent memory, eventually reaching more than 2,700 organizations and tens of millions of individual records. Cl0p hasn't gone anywhere. Neither have the affiliate crews who studied that playbook and have been waiting for the next file transfer product to drop a critical advisory. MOVEit Automation just put up a 9.8 with no workarounds and a researcher writeup that names the affected component class. The window for getting ahead of this is measured in days, not weeks.

The exposure picture is harder to pin down than you might think. Unlike MOVEit Transfer, which is famously deployed as an internet-facing managed file transfer endpoint, MOVEit Automation is more often positioned as an internal orchestrator. Many shops run it on a server that talks outbound to partners and inbound to internal systems but isn't supposed to be reachable from the public internet. In theory that limits exposure. In practice, the phrase "isn't supposed to be" is doing a lot of load-bearing work in that sentence. Internet scans by various researchers since the 2023 Transfer disaster have repeatedly shown MOVEit Automation instances exposed on management ports, on default service ports, and behind reverse proxies that were never meant to publish them. Anyone running the product should not assume their deployment is internal until they have actively verified it from an external vantage point. Run an external scan against your published IP space and look for the service listening anywhere it shouldn't be.

Beyond the patch, defenders should be tightening the assumptions around the host itself. The accounts MOVEit Automation runs as, the credentials it stores for partner endpoints, the API tokens it uses for downstream systems, and the SMB or SFTP credentials it has cached are all in scope if an attacker reaches administrative control. Treat the host as a high-value identity store and not just an integration appliance. Rotate any credential the product holds after the upgrade if you have any reason to suspect the box was reachable from untrusted networks during the exposure window. Pull the service logs for the affected versions and look for unusual administrative session creation, configuration changes outside of normal change windows, and new task definitions you didn't author. There is no published indicator of compromise list yet, but anomalous administrative actions are the obvious place to start, and unusual outbound connections from the automation host to addresses outside your normal partner set are worth flagging.

Network segmentation, while not a substitute for the patch, is worth revisiting at the same time. The MOVEit Automation host should not have unrestricted egress to the internet, should not be authenticating to a tier-zero domain account, and should not be sharing a credential vault with unrelated systems. If your deployment violates any of those, the patch window is also the right window to fix the architectural issues that made the blast radius bigger than it needed to be. Detection content should include alerts on unauthenticated access attempts to the backend command ports, on creation of new administrator accounts in MOVEit, and on unscheduled task executions or configuration exports.

The audit trail conversation is going to come up too, because it always does after a Progress advisory. If your product version is end of support or you can't get to a patched build because of dependency entanglements with custom scripts and connectors, document that in writing today, with the date and the business reason, and route it to whoever owns the risk register. The 2023 Cl0p breach generated a long tail of regulatory inquiries and lawsuits in part because organizations were running unpatched, end of support, or out of policy versions and could not produce a coherent story about why. Don't repeat that.

For MSPs and security service providers, this advisory is a reminder that managed file transfer remains one of the highest-leverage attack surfaces in the average client environment, and most clients still don't treat it that way. The conversation to have this week is straightforward. Every client running MOVEit Automation needs an inventory call, a confirmation of patch level, an external exposure scan against the published IP space, and a credential rotation plan for the service accounts the product holds. Everything else is upsell. Vulnerability management subscriptions justify themselves on weeks like this one, darkweb monitoring is an easy add for organizations whose data is the kind Cl0p historically ransoms, and a tabletop exercise built around what happens if our file transfer product is compromised on a Friday at 4 PM sells itself once you frame it as a rehearsal rather than a sales pitch. The clients who say yes to that work this month will not be the clients calling you in a panic next month.

Patch to 2025.1.5, 2025.0.9, or 2024.1.8 depending on your release train, verify externally that nothing is exposed that shouldn't be, treat any administrative session in the affected window as suspect until proven otherwise, and don't let the phrase "we have it behind a firewall" be the end of the conversation. Progress did the right thing by disclosing clearly and by stating up front that there is no workaround. The hard part now belongs to the rest of us, and the clock has been running since Monday.