MOVEit users urged to patch

MOVEit is the kind of software companies forget about until it breaks. It sits in the middle of payroll files, healthcare records, supplier data, and all the other sensitive stuff businesses shuttle between partners. That is why Progress Software’s new warning matters. On April 30, the company told customers to patch MOVEit Automation for two newly disclosed flaws that could let attackers bypass authentication and then escalate privileges to administrative control. ### What exactly got disclosed? The two bugs are CVE-2026-4670 and CVE-2026-5174. Progress describes the first as an authentication-bypass issue and the second as a privilege-escalation issue, both tied to backend command port interfaces in MOVEit Automation. The ugly part is the combo — if an attacker can get through the front door without proper auth and then raise privileges, the path to unauthorized access gets much shorter. ### Which MOVEit product is this time? This alert is about MOVEit Automation, not the older MOVEit Transfer bugs that got most of the headlines in 2023 and 2024. MOVEit Automation is the workflow engine piece — the part that schedules, routes, and processes file transfers between systems. So the risk is not just “someone can grab a file.” It is also “someone can interfere with the machinery that moves a lot of files around automatically.” ### Why is that worse than it sounds? Managed file transfer tools are trust brokers. They often have broad access by design — shared folders, partner connections, service accounts, automation rules. That makes them a little like a mailroom with master keys. If somebody compromises the mailroom, they do not need to break into every office one by one. They can reroute, copy, or expose data from the middle. That is why Progress says the flaws could lead to unauthorized access, administrative control, and data exposure. ### Is there evidence of active exploitation? The public advisories visible so far focus on patching urgency and symptoms to watch for, like unexpected privilege escalation, unauthorized access, or odd audit-log activity. I did not find a primary-source statement from Progress or CISA saying these April 2026 MOVEit Automation flaws are being actively exploited right now. That matters because “patch now” does not always mean “already burning,” but it absolutely means defenders should treat the window as dangerous. ### What are customers supposed to do? Progress says to upgrade immediately to a fixed version. The release notes show CVE-2026-5174 fixed in MOVEit Automation 2025.0.9, and the security bulletin ties remediation to updated builds for supported versions. If you run this product, the practical move is simple — patch, review audit logs, limit exposure of backend interfaces, and check whether service accounts or automation rules show anything unusual. ### Why does MOVEit keep drawing so much attention? Because the brand is still carrying the scar tissue from the 2023 mass exploitation campaign against MOVEit Transfer, which turned a file-transfer product into a supply-chain-style breach amplifier across governments, insurers, and large enterprises. More MOVEit flaws surfaced in 2024 too, including critical and high-severity authentication issues in Transfer and Gateway. So every fresh advisory lands in an environment where defenders already know these systems are high-consequence targets. ### What is the real lesson here? The lesson is not just “install the patch.” It is “stop treating managed file transfer as boring plumbing.” These products often hold privileged positions in the architecture, touch sensitive data, and connect outside parties to internal systems. When one of them has an auth bug, the blast radius can be much bigger than the product name suggests. ### Bottom line? If your organization uses MOVEit Automation, this is patch-now territory. Not because every alert becomes a catastrophe, but because software that brokers trusted data flows is exactly where small authentication mistakes turn into big security incidents.