CVE-2026-4670 & CVE-2026-5174: MOVEit Automation Flaws Enable Auth Bypass and Privilege Escalation
Progress Software has disclosed and patched two vulnerabilities in MOVEit Automation, its managed file transfer automation and workflow engine. CVE-2026-4670 is an authentication bypass, and CVE-2026-5174 is a privilege escalation issue tied to improper input validation. The issues relate to MOVEit Automation’s service backend command port interface(s) and can be chained from unauthenticated access to elevated control.
This post breaks down what is confirmed, who is affected, whether exploitation is happening, and what defenders should do next.
What Are CVE-2026-4670 & CVE-2026-5174 in MOVEit Automation?
CVE-2026-4670 is classified as Authentication Bypass by Primary Weakness (CWE-305). NVD scoring references a CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which aligns with a 9.8 (Critical) severity.
Details of CVE-2026-4670 (SOCRadar Vulnerability Intelligence)
The second vulnerability, CVE-2026-5174 (CVSS 8.8), is an Improper Input Validation (CWE-20) issue that allows privilege escalation.
Details of CVE-2026-5174 (SOCRadar Vulnerability Intelligence)
In plain terms, the concern is not “a bug exists.” It’s that MOVEit Automation may be reachable through a backend-facing interface, and these two weaknesses can potentially be combined to move from no access to administrative-level impact.
Which MOVEit Automation Versions Are Affected?
The affected version ranges overlap heavily, but CVE-2026-5174 includes an additional affected branch.
Affected versions for CVE-2026-4670
- 2025.0.0 before 2025.0.9
- 2024.0.0 before 2024.1.8
- Versions prior to 2024.0.0
Affected versions for CVE-2026-5174
- 2025.1.0 before 2025.1.5
- 2025.0.0 before 2025.0.9
- 2024.0.0 before 2024.1.8
- Versions prior to 2024.0.0
Fixed versions
If you run MOVEit Automation and you are below these versions, treat the system as a high-priority upgrade, especially if the backend interface is reachable from untrusted networks.
- 2025.1.5
- 2025.0.9
- 2024.1.8
How Does the Exploit Chain Work?
Reports consistently point to MOVEit Automation’s service backend command port interface(s) as the main attack surface. While detailed exploit steps have not been published, the chain described across coverage is consistent:
Step 1: Unauthenticated access via CVE-2026-4670
CVE-2026-4670 can allow an attacker to bypass authentication. For defenders, the key point is that the vector implies no prior credentials and no user interaction, so exposure and network reachability heavily influence risk.
Step 2: Escalation via CVE-2026-5174
CVE-2026-5174 can allow privilege escalation through improper input validation. In a chain, it can turn initial access into higher-privilege control.
Likely outcome: Administrative control and data exposure
When chained, reporting suggests an attacker could reach administrative control and expose data. In MOVEit Automation deployments, that can include sensitive files moved by workflows and potentially credentials stored in automation tasks, depending on configuration.
Is There Confirmed In-The-Wild Exploitation Yet?
As of May 5, 2026, there is no confirmed in-the-wild exploitation publicly acknowledged. There is also no threat actor attribution in the available sources.
Even so, “unconfirmed exploitation” should not be read as “low risk.” Auth bypass issues on network-accessible backend interfaces often become attractive targets once enough technical detail is available, including through patch analysis.
Use SOCRadar Vulnerability Intelligence to Track MOVEit Risk
MOVEit has a history of drawing attacker attention after serious flaws become public, so defenders should not rely only on patch notices or CVSS scores. SOCRadar’s Cyber Threat Intelligence module helps your organization follow CVE details, exploit availability, Proof-of-Concept (PoC) activity, and threat actor interest as the situation develops. For CVE-2026-4670 and CVE-2026-5174, this can help teams decide which systems need the fastest action, especially where MOVEit Automation is reachable from broad internal networks or the internet.
SOCRadar Attack Surface Management (ASM) can also help identify exposed MOVEit-related assets and reduce unnecessary access to sensitive backend interfaces.
SOCRadar’s Vulnerability Intelligence: Track CVE updates & exploits
What Should Defenders Do Now to Reduce Risk?
Prioritize upgrade planning, including downtime
Progress guidance repeated in coverage is operationally important: upgrading with the full installer is the only way to remediate, and organizations should expect a system outage during upgrade. There is no simple mitigation switch to flip.
Action items:
- Identify all MOVEit Automation instances and their versions.
- Schedule upgrades to 2025.1.5, 2025.0.9, or 2024.1.8 as appropriate.
- Prioritize systems where backend interfaces are internet-reachable or broadly reachable internally.
Reduce exposure if you cannot patch immediately
Compensating controls do not fix the vulnerabilities, but they can reduce the attack surface:
- Restrict network access to MOVEit Automation, with special focus on preventing internet exposure of the relevant interfaces.
- Limit access to required management networks and approved jump hosts.
- Recheck firewall rules and segmentation around the Automation server.
Increase monitoring for suspicious patterns
Because there are no strong public IoCs, focus on behavior:
- Review MOVEit Automation audit logs for unusual access patterns.
- Watch for unexpected privilege changes or administrative actions that don’t match normal workflows.
- Investigate anomalous activity tied to the backend service interfaces, especially if the system is externally reachable or was recently exposed.
