Software developer Progress has issued a warning about a critical security vulnerability in MOVEit Automation that allows an attacker to bypass authentication and gain access to corporate systems.

MOVEit Automation is a software solution used by organizations and businesses for exchanging files between internal systems, external partners, and cloud platforms.

According to Progress’s Security Bulletin, the security vulnerability, CVE-2026-4670, allows an unauthorized party to bypass authentication and gain access to an organization’s system without entering login credentials.

The security flaw affects MOVEit Automation versions before 2025.1.5, 2025.0.9, and 2024.1.8.

The software developer also points to a second vulnerability dubbed CVE-2026-5174. This is a so-called privilege escalation vulnerability, a security flaw that lets a user or attacker gain higher access rights than they’re supposed to have once they have access to a system.

Companies and organizations are urged to install the updates that have been made available.

“We have addressed the vulnerability, and the Progress MOVEit Automation team strongly recommends performing an upgrade to the latest version. Upgrading to a patched release, using the full installer, is the only way to remediate this issue. There will be an outage to the system while the upgrade is running,” Progress says.

This isn’t the first time Progress has had to deal with a critical vulnerability in its software.

In May 2023, the software developer disclosed that MOVEit Transfer contained a zero-day exploit that enabled unauthorized users to manipulate the MOVEit Transfer database via an SQL injection, allowing them to steal confidential data.

According to security firm Emisoft, ransomware extortion group Cl0p managed to hack MOVEit servers of over 2,700 organizations and approximately 96 million people. The zero-day bug affected high-profile customers, such as CCleaner, ING Bank, Shell, Siemens Energy, Sony, and TomTom.

---

Unlock more exclusive Cybernews content on YouTube.