Critical Security Alert: Security Flaws Discovered in Progress MOVEit Automation
Progress Software has issued a critical security alert regarding its MOVEit Automation software. Two severe vulnerabilities have been discovered that could allow attackers to bypass authentication and escalate their privileges. Because of the critical nature of these flaws, administrators are urged to apply the latest security patches immediately to prevent unauthorized access and sensitive data exposure.
The Vulnerabilities Explained
The security bulletin released on April 30, 2026, highlights two distinct vulnerabilities discovered by researchers at Airbus SecLab. The technical breakdown of these flaws is as follows:
- Authentication Bypass (CVE-2026-4670): The first vulnerability allows adversaries to circumvent standard login protocols.
- Privilege Escalation (CVE-2026-5174): The second vulnerability stems from improper input validation, allowing users to elevate their rights beyond standard permissions.
Both of these security gaps exist within the service backend command port interfaces of the software. If a cybercriminal successfully exploits these weaknesses, they can gain administrative control over the system. This level of unauthorized access poses a massive risk, as it can lead directly to sensitive data exposure and full network compromise. Administrators should monitor their system audit logs for signs of unexpected privilege changes or unusual activity.
Assessment and Mitigation
These vulnerabilities impact multiple versions of MOVEit Automation. Progress Software has released patched versions to address both the authentication bypass and the privilege escalation flaws. Organizations must review their current installations and update to the corresponding secure release.
Verifying Your Version
To verify which version is currently running, administrators can open the MOVEit Automation Web Admin portal, navigate to the Help menu, and check the About section.
Applying the Fix
The only way to completely fix these issues is by upgrading to a patched release using the full installer provided by Progress Software. The development team strongly recommends that all customers under active maintenance access the Progress Community portal to download the necessary updates.
Operational Considerations
Administrators must prepare for a temporary system outage. The upgrade process requires taking the system offline while the full installer runs. Customers who do not have a current maintenance agreement should contact a Progress sales representative or their partner immediately to resolve their licensing and secure their systems.
Staying Ahead of Threats
Finally, organizations can sign up for the Progress Alert and Notification Service to receive future security updates directly via email. Proactive monitoring is the best defense against evolving cyber threats.