Critical MOVEit Automation flaw lets attackers take over file-transfer servers without logging in - Cl0p hit MOVEit's sister product in 2023 and stole data from 62 million people (CVE-2026-4670)

Progress Software released emergency patches Sunday for two MOVEit Automation flaws. The worst, CVE-2026-4670 (CVSS 9.8), lets remote attackers reach the management interface without logging in - and from there take administrative control. Airbus researchers disclosed both flaws privately and Progress hasn't seen exploitation in the wild, but the comparison with MOVEit's history is uncomfortable: the Cl0p ransomware gang exploited MOVEit Transfer in 2023 to steal data from 2,100 organizations and 62 million individuals. Shodan shows 1,400+ MOVEit Automation instances exposed online, including a dozen linked to US local and state government agencies.

Check

Inventory MOVEit Automation instances and check the version under Web Admin > Help > About. Search firewall logs for inbound traffic to the service backend command port.

Affected

MOVEit Automation versions before 2025.1.5, 2025.0.9, and 2024.1.8. CVE-2026-4670 (CVSS 9.8, auth bypass) and CVE-2026-5174 (CVSS 7.7, privilege escalation). 1,400+ internet-exposed instances per Shodan, including state and local government agencies. Internet-reachable management interfaces face acute risk.

Fix

Upgrade to MOVEit Automation 2025.1.5, 2025.0.9, or 2024.1.8 using the full installer (the standard service installer does not patch the flaw). Restrict the management interface to internal networks only. Rotate every credential MOVEit holds for downstream destinations - cloud storage, SFTP servers, partner systems. Block external traffic to the service backend command port at the firewall.