Progress MOVEit Automation, unauthenticated authentication bypass (MOVEit Automation Auth Bypass)

Overview

Progress MOVEit Automation is the scheduling and workflow engine that drives MOVEit Transfer file-movement tasks across enterprise environments. CVE-2026-4670 is a critical authentication bypass (CWE-305, Authentication Bypass by Primary Weakness) that allows a remote, unauthenticated attacker to reach privileged functionality on the MOVEit Automation service backend command port without supplying valid credentials. Progress disclosed the flaw in its April 2026 critical security alert bulletin (alongside the related privilege-escalation issue CVE-2026-5174) and rates it CVSS 3.1 9.8. Given the file-transfer ecosystem's history as a high-value target for data-theft and extortion campaigns, the vulnerability warrants immediate remediation even though it was not under active exploitation at disclosure.

Technical Details

The weakness resides in the authentication handling of the MOVEit Automation service backend command port. The primary authentication control can be bypassed, so an attacker who can reach the listening service over the network is able to invoke privileged operations as if already authenticated. Because the flaw is a "primary weakness" bypass, no secondary credential, token, or session is required; the attacker simply sidesteps the gate entirely. The NVD primary metrics describe an attack that is network-accessible (AV:N), low-complexity (AC:L), requires no privileges (PR:N) and no user interaction (UI:N), with high impact to confidentiality, integrity, and availability (C:H/I:H/A:H). The maximum CVSS 3.1 base score is therefore 9.8. Exploitation grants administrative control of the automation engine, which orchestrates credentialed connections to downstream file stores and partners.

Impact

• Complete bypass of authentication on the MOVEit Automation backend command port by an unauthenticated, remote attacker.
• Administrative control over the file-transfer automation engine and its scheduled tasks.
• Access to, modification of, and redirection of sensitive automated file transfers, enabling data theft or tampering.
• Potential pivot into connected systems and partner endpoints whose credentials are managed by MOVEit Automation.
• High impact to confidentiality, integrity, and availability of transferred data and the automation service.

Mitigation

1. Upgrade MOVEit Automation 2025.1.x deployments to 2025.1.5 (17.1.5) or later.
2. Upgrade MOVEit Automation 2025.0.x deployments to 2025.0.9 (17.0.9) or later.
3. Upgrade MOVEit Automation 2024.1.x and earlier deployments to 2024.1.8 (16.1.8) or later.
4. Restrict network exposure of the MOVEit Automation service and its backend command port to trusted management networks only; never expose it directly to the internet.
5. After patching, rotate any credentials, API keys, and tokens stored by or accessible to the automation engine, and review scheduled task definitions for unauthorized changes.

Detection

Because this is a pre-authentication bypass, the most reliable signal is exposure assessment combined with version verification. First, inventory every MOVEit Automation host and confirm the installed build against the fixed releases (2025.1.5, 2025.0.9, 2024.1.8); any host below those builds is vulnerable. Determine which of those hosts have their service or backend command port reachable from untrusted networks, since internet-exposed instances are the highest priority.

For network-level detection, monitor connections to the MOVEit Automation backend command port from unexpected source addresses, particularly external or non-management ranges. Sudden administrative-style operations (new or modified tasks, host definitions, or credential entries) that are not tied to an authenticated, logged operator session are a strong indicator of abuse. Correlate task-configuration changes in the MOVEit Automation audit log with the corresponding application authentication events; a privileged change with no preceding successful interactive login suggests the authentication gate was bypassed.

Review MOVEit Automation and underlying web/service logs for requests that invoke privileged endpoints but lack an associated authenticated session identifier. Watch for anomalous outbound transfers, newly created destinations, or redirected file flows that move data to attacker-controlled hosts. On the host itself, alert on the MOVEit service spawning unexpected child processes or writing files outside its normal working directories.

Because MOVEit products have repeatedly been targeted for mass data exfiltration, treat any confirmed unauthenticated access as a potential breach: capture volatile artifacts, preserve logs before rotation, and hunt for staged archives or unusual compression activity. After upgrading, validate the fix by confirming that requests to the backend command port without valid authentication are rejected, and continue to monitor for scanning activity probing the affected port, which often follows public disclosure of file-transfer vulnerabilities. Subscribe to the Progress security alert bulletin so future MOVEit advisories are caught and remediated promptly.