If your security calendar still has "MOVEit" highlighted in red from 2023, get the highlighter back out. On May 4, 2026, Progress Software shipped emergency patches for two MOVEit Automation flaws disclosed by Airbus SecLab researchers. The lead bug, CVE-2026-4670, is a CVSS 9.8 pre-authentication bypass through the service backend command port; the companion bug, CVE-2026-5174, is a CVSS 7.7 input-validation flaw enabling privilege escalation once authenticated. Together they hand a remote, unauthenticated attacker administrative control of MOVEit Automation 2024.x and 2025.x.
There is no in-the-wild exploitation reported yet. There was none at the comparable point in May 2023, either. The cl0p ransomware crew industrialized MOVEit Transfer four weeks after disclosure, and within months had hit hundreds of organizations including U.S. federal agencies. Customers who waited "until the next maintenance window" learned a very expensive lesson. The same calculus applies this week.
Why CVE-2026-4670 Is a Textbook Case
It touches every one of the four core defensive pillars at the same time.
Input validation. The bypass works because a single argument on the backend command port is trusted instead of validated. The classical OWASP rule — "validate every input, every time, on the server side, against an allow-list" — was violated at exactly one place, and that one place owned the front door.
Authentication & authorization. The bug doesn't just break a check. It removes the check. Pre-auth means the attacker doesn't have to forge a session, leak a token, or phish a credential — they walk in. The companion CVE-2026-5174 then flips a low-privileged identity into an administrator. Defense-in-depth in name only: when both walls fall, you don't have layered defense, you have layered theatre.
Open-source / third-party package security. MOVEit Automation isn't open source, but it sits in your stack like one — a vendored binary that interacts with your AD, your file shares, your SMTP, your S3. Treat every closed-source enterprise component as a third-party package: pin versions, subscribe to its CVE feed, and have a rehearsed patch-or-isolate decision tree.
CIA (Confidentiality, Integrity, Availability). A pre-auth admin takeover scores 1-1-1: the attacker reads your data, alters your data, and can deny service. There is no scenario in which CVE-2026-4670 only "kind of" pops your environment.
Concrete Actions for the Next 24 Hours
Patch. Move every MOVEit Automation host to 2025.1.5, 2025.0.9, or 2024.1.8 — the fixed versions. The full installer is the only supported path; do not attempt manual hot-fixes.
Block the backend command port at the network edge. It should never have been internet-reachable. If it is, restrict it to a management VLAN before you patch.
Hunt for pre-disclosure activity. Pull MOVEit Automation logs back to mid-April. Look for unauthenticated requests to the backend command port, anomalous task creations, and new admin accounts.
Review every "trust the request" call site in your own PHP / Laravel backends this week. Anywhere you accept an argument and use it to look up a session, a tenant, or a permission, you have a CVE-2026-4670-shaped bug waiting to be discovered. Validate, allow-list, and assume your perimeter is hostile.
My Take
The interesting story isn't that MOVEit broke again — software with a 20-year codebase will always have one more pre-auth bug. The story is the contrast with last week's LiteLLM incident, where a 36-hour exploitation window followed disclosure. Airbus SecLab privately disclosed; Progress patched before public release; defenders have a head start. Use it. The teams that get hit in June will be the ones who treated this week's advisory as a Tuesday email instead of a Tuesday incident response.
Sources
- Critical MOVEit Automation auth bypass vulnerability fixed (CVE-2026-4670) — Help Net Security
- Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass — The Hacker News
- Progress warns of critical MOVEit Automation auth bypass flaw — BleepingComputer
- Warning: Critical authentication bypass in MOVEit Automation — CCB Belgium
- New MOVEit vulnerabilities prompt urgent patch warning — Cybersecurity Dive
- MOVEit Automation Critical Security Alert Bulletin — Progress Community