A critical authentication bypass vulnerability (CVE-2026-4670, CVSS 9.8) in Progress MOVEit Automation allows remote attackers to gain unauthorized system access without privileges or user interaction. Affected versions are Progress MOVEit Automation before version 2024.1.8 and versions 2025.0.0 through 2025.1.4. Progress Software has remediated this flaw, along with a high-severity privilege escalation vulnerability (CVE-2026-5174), in the patched versions 2024.1.8 and 2025.1.5.
Vulnerability Management , Patch/Configuration Management Progress Software warns of critical MOVEit Automation vulnerability May 5, 2026 Share By SC Staff (Stock Photo, Getty Images) As reported by Bleeping Computer, Progress Software has issued a critical security alert regarding an authentication bypass vulnerability in its MOVEit Automation software. This flaw allows remote attackers to gain unauthorized access to systems without requiring any privileges or user interaction. The vulnerability, tracked as CVE-2026-4670, affects multiple versions of MOVEit Automation. Progress Software strongly recommends upgrading to the latest patched version to remediate the issue, noting that an outage will occur during the upgrade process. Additionally, a separate high-severity privilege escalation vulnerability (CVE-2026-5174) was addressed in the same advisory. Cybersecurity consultant Daniel Card identified over 1,400 MOVEit Automation instances exposed online, with more than a dozen linked to U.S. local and state government agencies. While there is no current information on exploitation, past MOVEit vulnerabilities have been heavily exploited, notably by the Clop ransomware gang in 2023, impacting thousands of organizations. Managed file transfer (MFT) software remains a prime target for threat actors due to the sensitive data it handles. Source: Bleeping Computer SC Staff Related AI/ML NCSC warns AI accelerates vulnerability discovery, prompting urgent patch wave SC Staff May 5, 2026 The NCSC highlights that skilled attackers leveraging AI can identify software weaknesses at an unprecedented pace. Vulnerability Management CISA reportedly considers 3-day patch deadline for KEV flaws Laura French May 5, 2026 Officials are considering how AI tools like Claude Mythos could shorten exploit timelines, Reuters reports. Vulnerability Management Copy Fail bug added to CISA’s list of known exploited vulnerabilities Steve Zurier May 4, 2026 CISA flags “Copy Fail” Linux bug as exploited, urging immediate patching across systems. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds