Overview
- Progress released patches Monday that fix CVE-2026-4670 and CVE-2026-5174 in MOVEit Automation versions 2025.1.5, 2025.0.9, and 2024.1.8.
- The flaws allow an unauthenticated login bypass and a privilege escalation that together can hand attackers administrative control.
- Progress says only a full installer upgrade remediates the issue, which stops the service during the update and offers no workaround.
- No exploitation has been confirmed, yet public scans show over 1,400 internet-facing instances, including more than a dozen tied to U.S. local and state agencies.
- Compromising the Automation scheduler can expose stored credentials and business files and can open a path into corporate networks, a risk underscored by Cl0p’s 2023 attacks on MOVEit Transfer.