Progress's MOVEit Automation Auth Bypass: Why Recurring Flaws Persist

Why We Can't Keep Patching MOVEit and Calling it a Day

Here's the thing about critical vulnerabilities: they're not all created equal. Some are one-offs, a specific bug in a specific feature. Others, like the latest authentication bypass in Progress's MOVEit Automation, feel like a recurring pattern that demands a deeper look. We're seeing a critical flaw (CVE-2026-4670) with a CVSS score of 9.8, alongside a high-severity privilege escalation (CVE-2026-5174) at 7.7. These were found by the Airbus SecLab team – Anaïs Gantet, Delphine Gourdou, Quentin Liddell, and Matteo Ricordeau – and Progress has released patches.

But honestly, I'm tired. And I know a lot of you are too. There's a palpable sense of "MOVEit fatigue" out there. I see it in the forums, the private chats. People are asking: again? Why are we still here, dealing with critical flaws in a product that's supposed to be a secure conduit for sensitive data?

The Latest Incident: MOVEit Automation Auth Bypass and Unauthenticated Admin Access

Here's what matters about what happened. The core issue here is CVE-2026-4670, an authentication bypass in MOVEit Automation. This isn't some obscure edge case. This flaw lets an unauthenticated remote attacker gain administrative control. Think about that for a second: no credentials needed, just direct access to the service backend command port interfaces.

The attack chain is straightforward, and that's what makes it so dangerous:

An attacker identifies an exposed MOVEit Automation instance. (And yes, there are reportedly over 1,400 of them online, some linked to U.S. government agencies.)
They exploit the authentication bypass vulnerability (CVE-2026-4670) to gain unauthorized access to the backend command port.
Once in, they can achieve administrative control. Viewing data is full control over the system.
From there, they can exfiltrate data, modify configurations, or even use the system as a pivot point for further network compromise.

On top of that, CVE-2026-5174, an improper input validation bug, allows for privilege escalation. While not as immediately critical as the bypass, it means an attacker who might have limited access could then elevate their privileges, potentially to full administrative control. It's a secondary path to the same bad outcome.

<img alt="MOVEit Automation auth bypass vulnerability in a dimly lit server room" src="

A dimly lit server room with blinking LEDs, fog drifting through racks, cool blue ambient light with warm rim accents, a single monitor displaying lines of code — Dimly lit server room with blinking LEDs, fog

The Real Impact: Beyond the Immediate Patch

The immediate impact is clear: if you're running MOVEit Automation versions older than 2025.1.5, 2025.0.9, or 2024.1.8, you need to patch. Progress says there are no workarounds, and the fix requires a full installer, which means a system outage. That's a disruption, but it's a non-negotiable one.

The broader impact, though, is what keeps me up. MOVEit products are designed for Managed File Transfer (MFT), meaning they handle the secure movement of sensitive data for thousands of organizations. When these systems have critical authentication bypasses, like the latest MOVEit Automation auth bypass, it's not just a software bug; it's a direct threat to data confidentiality and integrity across entire supply chains.

We've seen this movie before. The 2023 Cl0p attacks on MOVEit Transfer, which exploited similar types of flaws, led to widespread data theft affecting millions of individuals and thousands of organizations. While Progress states there's no evidence of active exploitation for these specific vulnerabilities yet, the history here makes that a cold comfort. Attackers know MOVEit is a target-rich environment.

The Perpetual Patch Cycle and Eroding Trust

This isn't an isolated incident. It's a pattern. Progress has been issuing critical patches for MOVEit products repeatedly. This continuous stream of high-severity vulnerabilities, especially authentication bypasses and privilege escalations, points to something deeper than just individual bugs. The recurring nature of the MOVEit Automation auth bypasses is particularly concerning. Securing Managed File Transfer (MFT) solutions is inherently complex, given their role as critical data conduits. However, a consistent pattern of authentication bypasses and privilege escalations points to fundamental weaknesses in the security development lifecycle (SDL) or architectural design choices that prioritize functionality over robust security at every layer. This isn't just about finding a bug; it's about the environment in which these bugs are allowed to thrive.

For organizations, this creates a significant operational burden. Each critical patch means emergency change management, testing, and system outages. It's not just the cost of the software; it's the cumulative cost of constantly reacting to these incidents. It makes maintaining business continuity a constant challenge.

And then there's the trust factor. When a critical enterprise solution like MOVEit consistently has these kinds of flaws, it erodes confidence. Organizations rely on these tools to be secure by design, not just secure after the tenth emergency patch. The lack of detailed public technical specifics for the current flaw, compared to how quickly PoCs for past ones emerged, also raises questions about transparency. We need to understand the root cause, not just apply a bandage.

<img alt="Stressed IT professional dealing with MOVEit Automation security issues" src="

A close-up of a stressed IT professional's face illuminated by a computer screen, lines of code reflected in their glasses, a coffee cup sits forgotten on the desk, shallow depth of field, cool blue light — Close-up of a stressed IT professional's face illuminated

What We Need to Change

Patching is the immediate answer, yes. If you're running MOVEit Automation, you need to upgrade to the latest fixed versions: 2025.1.5, 2025.0.9, or 2024.1.8. Do it now to address this critical Progress's official advisory on the MOVEit Automation auth bypass.

But beyond that, we need a deeper conversation about MFT security. Organizations need to evaluate their reliance on single-vendor solutions, especially those with a history of recurring critical flaws. This means:

Architectural Review: Look at your MFT deployment. Is it segmented? Are the backend interfaces exposed unnecessarily, making it easier for an attacker to exploit a MOVEit Automation auth bypass?
Defense in Depth: Assume compromise. What controls do you have around your MFT solution? Think about network segmentation, strong access controls, and continuous monitoring for anomalous activity.
Vendor Accountability: We need vendors to move beyond just patching and address the underlying systemic issues that lead to these recurring vulnerabilities. This means more rigorous security development lifecycles, more thorough internal audits, and perhaps more transparency about root causes. True accountability would involve a commitment to a 'secure by design' philosophy, where security is not an afterthought but an integral part of every development phase, from conception to deployment. This includes proactive threat modeling, extensive penetration testing by independent third parties, and a willingness to share more technical details about vulnerabilities to help customers better understand and mitigate risks.

The current cycle of critical MOVEit patches isn't sustainable. We can't keep playing whack-a-mole with authentication bypasses in systems that handle our most sensitive data. It's time to demand more from our MFT solutions and to build more resilient strategies that don't rely solely on a vendor's ability to fix the next critical flaw.