Progress warns of a critical MOVEit Automation authentication bypass and urges upgrades to patched releases.
A critical authentication bypass flaw in MOVEit Automation is the kind of bug enterprise teams cannot afford to treat as “sometime later” work.
In an advisory. Misryoum reports that Progress Software is warning customers to patch a vulnerability that could let remote attackers bypass authentication on its enterprise-grade managed file transfer (MFT) platform.. MOVEit Automation is designed to automate data workflows and orchestrate file transfers across systems such as internal servers. cloud storage. and external partners. making it a central piece in many organizations’ operational pipelines.
Misryoum notes that the issue, tracked as CVE-2026-4670, impacts MOVEit Automation versions prior to 2025.1.5, 2025.0.9, and 2024.1.8.. Progress says the flaw can be exploited remotely without privileges on the target system. and that attacks can be carried out with low complexity and without requiring user interaction.
The immediate takeaway is straightforward: when an MFT platform is involved, “authentication bypass” is more than a technical detail. It can turn access controls meant to protect sensitive data into a doorway for unauthorized activity.
Progress also emphasizes that remediation requires upgrading to the latest patched release, using the full installer. The vendor warns customers to expect an outage while the upgrade is running, which means scheduling matters for teams that rely on ongoing transfer workflows.
In parallel. Misryoum reports that Progress released additional security updates the same day to address a separate high-severity privilege escalation issue in MOVEit Automation. identified as CVE-2026-5174.. This stems from an improper input validation weakness. underscoring that multiple classes of risk are being addressed at once rather than as isolated problems.
For security teams. this serves as a reminder that MFT deployments can be exposed to the internet and are often attractive targets for broader campaigns.. Misryoum points out that previous MOVEit MFT vulnerabilities have been used in real-world attacks. including ransomware-led data theft incidents targeting other MFT products.
The bigger risk is operational: even if exploitation is not confirmed. delaying patches for an authentication bypass leaves systems vulnerable during business-critical windows.. Misryoum recommends prioritizing MOVEit Automation upgrades in the same way teams handle urgent vulnerabilities in core identity and access layers.