← Back to Cybersecurity News Center
Severity
CRITICAL
Priority
0.474
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
Progress Software has disclosed and patched CVE-2026-4670, a critical authentication bypass (CVSS 9.8) in MOVEit Automation, the managed file transfer platform widely used across enterprise and regulated-sector environments. An unauthenticated attacker with network access can bypass authentication entirely; a companion privilege escalation flaw (CVE-2026-5174) compounds the risk by enabling deeper system access post-exploitation. Given MOVEit's history as a high-value ransomware and data theft target, organizations running this product should treat patching as an immediate operational priority.
Impact Assessment
CISA KEV Status
Not listed
Attack Vector
HIGH
Exploitable remotely over the internet
Complexity
HIGH
No special conditions required to exploit
Authentication
HIGH
No credentials needed — anyone can attempt
User Interaction
HIGH
Fully automated — no user action needed
Active Exploitation
LOW
No confirmed active exploitation
Affected Product
INFO
Progress MOVEit Automation (versions unspecified in available data; refer to Progress Software April 2026 Security Alert Bulletin for affected version ranges)
Are You Exposed?
⚠
You use Progress MOVEit Automation (versions unspecified in available data; refer to Progress Software April 2026 Security Alert Bulletin for affected version ranges) → Investigate immediately
⚠
Affected systems are internet-facing → Increased attack surface
✓
You have patched to the latest version → Reduced risk
✓
Systems are behind network segmentation / WAF → Mitigated exposure
Business Context
MOVEit Automation manages automated file transfers across enterprise workflows — often carrying regulated data including financial records, healthcare files, and personally identifiable information. An attacker who exploits this vulnerability gains unauthenticated access to that transfer infrastructure, enabling data theft, workflow manipulation, or ransomware deployment with no credentials required. Prior MOVEit vulnerabilities (notably CVE-2023-34362) resulted in mass data extortion campaigns affecting hundreds of organizations; regulated-sector customers should assess breach notification obligations immediately upon confirmed compromise.
You Are Affected If
You run Progress MOVEit Automation in production (any version — confirm affected ranges against the Progress April 2026 Security Alert Bulletin)
Your MOVEit Automation instance is accessible from the internet or untrusted network segments without network-layer access controls
You have not applied the patch referenced in the Progress Software April 2026 Security Alert Bulletin for CVE-2026-4670 and CVE-2026-5174
MOVEit Automation service accounts have not had credentials rotated recently and may be reused across systems
Your MFT workflows carry regulated data (PII, PHI, financial records) that would trigger breach notification obligations if exfiltrated
Board Talking Points
A critical flaw in our managed file transfer software allows attackers to access the system without any password, putting automated data transfers at direct risk.
The security team should apply the vendor-released patch within 24 hours and restrict access to this system until patching is confirmed complete.
If this vulnerability is exploited before patching, attackers could steal files in transit and trigger regulatory breach notification requirements.
HIPAA Security Rule (45 CFR § 164.312(d)) — Covered entities using MOVEit Automation to transmit ePHI must assess whether CVE-2026-4670 constitutes a breach of unsecured PHI under the Breach Notification Rule. Authentication bypass on an MFT platform carrying ePHI triggers a risk assessment obligation. Verify with your privacy officer before concluding no notification is required.
PCI DSS v4.0 (Requirement 6.3.3 / 12.3.2) — Entities using MOVEit Automation within cardholder data environment (CDE) scope must apply security patches within defined timelines. A CVSS 9.8 vulnerability on a CDE-adjacent MFT platform requires priority patching and documented risk acceptance if patching is delayed. Confirm scope with your QSA.
Technical Analysis
CVE-2026-4670 is an authentication bypass in Progress MOVEit Automation, classified under CWE-287 (Improper Authentication).
CVSS base score: 9.8 (Critical).
The attack vector is network-exploitable, requires no authentication, no user interaction, and is assessed as low complexity, meaning automated exploitation is realistic.
A companion vulnerability, CVE-2026-5174 , introduces a privilege escalation path that an attacker could chain after bypassing authentication. MITRE ATT&CK techniques mapped: T1078 (Valid Accounts, authentication bypass enables account-equivalent access) and T1190 (Exploit Public-Facing Application). The EPSS score at time of data capture was 0.074% (22nd percentile), indicating lower automated exploitation probability at that snapshot, but given MOVEit's attacker attention history, this metric should be treated as a lagging indicator, not a risk ceiling. Affected version ranges should be confirmed directly from the Progress Software Security Alert Bulletin (April 2026). NVD entry (CVE-2026-4670 ) is the canonical technical reference. Important: Specific version ranges and patch versions must be confirmed by direct reference to the Progress Security Alert Bulletin and NVD before operational patching decisions are made.
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate to CISO, legal counsel, and data protection officer immediately if forensic review of MOVEit Automation transfer logs reveals any file exfiltration, unauthorized access to transfers containing PII, PHI, or payment data, or if CVE-2026-5174 privilege escalation artifacts are present — all three conditions trigger mandatory breach notification assessment under HIPAA, PCI DSS, and/or SEC cyber incident disclosure rules depending on data classification.
1
Step 1: Containment — Immediately restrict network access to MOVEit Automation management interfaces. Block untrusted source IPs via firewall ACL or place the service behind a reverse proxy. Confirm CVE-2026-5174 (privilege escalation) is addressed by the same patch before treating containment as complete. (Cite: NIST AC-4 — Information Flow Enforcement / NIST AC-17 — Remote Access / CIS 4.4 — Implement and Manage a Firewall on Servers / D3-PBWSAM — Proxy-based Web Server Access Mediation)
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy (CSF RS.MA: Execute IR plan, contain, mitigate)
NIST IR-4 (Incident Handling)
NIST SC-7 (Boundary Protection)
NIST AC-17 (Remote Access)
CIS 4.4 (Implement and Manage a Firewall on Servers)
CIS 4.5 (Implement and Manage a Firewall on End-User Devices)
Compensating Control
On the MOVEit Automation host (Windows), run: `netsh advfirewall firewall add rule name='Block MOVEit Mgmt' dir=in action=block protocol=tcp localport=<MOVEit_management_port> remoteip=<any_untrusted_range>`. For Linux-based deployments: `iptables -I INPUT -p tcp --dport <port> ! -s <trusted_mgmt_CIDR> -j DROP`. Verify the rule is active with `netstat -an | grep <port>`. A 2-person team can implement this in under 10 minutes without SIEM or EDR. Confirm MOVEit Automation's management interface port from Progress Software documentation for your deployed version — do not assume default ports.
Preserve Evidence
Before restricting access, capture a full netstat snapshot of active connections to MOVEit Automation management and transfer ports (`netstat -anob > moveit_connections_<timestamp>.txt` on Windows) to preserve any active attacker session state. Collect the MOVEit Automation IIS access logs (default path: `C:\MOVEitTransfer\Logs\` or IIS log directory) and Windows Security Event Log (Event ID 4624 — Logon Success, Event ID 4625 — Logon Failure) to establish a pre-containment authentication baseline. Export firewall connection state tables from the perimeter device before applying ACLs, as active sessions from exploit attempts may be present.
2
Step 2: Detection — Review MOVEit Automation authentication logs for successful sessions with no corresponding credential validation event, access from unexpected source IPs to administrative or API endpoints, and service account activity outside expected hours. Check for unauthorized file transfers, new scheduled jobs, or modified automation workflows as post-exploitation indicators (T1078, T1190). Confirm specific log paths and event IDs against Progress Software documentation for your deployed version. (Cite: NIST AU-2 — Event Logging / NIST AU-3 — Content Of Audit Records / NIST AU-6 — Audit Record Review, Analysis, And Reporting / CIS 8.2 — Collect Audit Logs / D3-LAM — Local Account Monitoring)
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis (CSF DE.AE-02: Analyze potentially adverse events; DE.AE-03: Correlate information from multiple sources)
NIST IR-5 (Incident Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-12 (Audit Record Generation)
NIST SI-4 (System Monitoring)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Without a SIEM, use PowerShell on the MOVEit Automation host to parse IIS logs for authentication bypass indicators: `Select-String -Path 'C:\inetpub\logs\LogFiles\W3SVC*\*.log' -Pattern '(200|302).*(login|auth|session)' | Where-Object { $_ -notmatch 'POST' }` to surface GET-based session establishment anomalies. For T1190 (Exploit Public-Facing Application) and T1078 (Valid Accounts) detection, apply the public Sigma rule `sigma/rules/web/web_moveit_transfer_exploitation.yml` (community-maintained; verify current rule against your log format) using `sigmac` converted to grep or PowerShell. Cross-reference MOVEit Automation's `AuditLog` database table (Microsoft SQL Server or MySQL backend — query: `SELECT * FROM AuditLog WHERE EventTime > DATEADD(day,-7,GETDATE()) AND EventType IN ('Login','FileUpload','JobCreate','WorkflowModify') ORDER BY EventTime DESC`) for orphaned session events with no preceding credential validation entry.
Preserve Evidence
Collect MOVEit Automation's application audit log (database table `AuditLog` or equivalent in the deployed backend) — authentication bypass exploitation of CVE-2026-4670 would produce session creation records with no associated username/password validation event, which is structurally anomalous and distinguishable from normal login flows. Capture IIS access logs showing HTTP requests to MOVEit Automation authentication endpoints (e.g., `/human.aspx`, `/api/v1/auth/token` — confirm exact paths against Progress Software documentation) with 200-OK responses from IP addresses with no prior authenticated history. For post-exploitation activity associated with CVE-2026-5174 privilege escalation, collect Windows Security Event Log Event ID 4672 (Special Privileges Assigned to New Logon) and Event ID 4688 (Process Creation) filtered on processes spawned under the MOVEit service account context.
3
Step 3: Eradication — Apply the patch specified in the Progress Software April 2026 Security Alert Bulletin. Confirm the patch addresses both CVE-2026-4670 and CVE-2026-5174 before closing the remediation ticket. If the vendor provides a temporary workaround, treat it as a bridge measure only — not a permanent control. Validate the patched version against your software inventory. (Cite: NIST AC-14 — Permitted Actions Without Identification Or Authentication / CIS 7.3 — Perform Automated Operating System Patch Management / CIS 7.4 — Perform Automated Application Patch Management / CIS 2.2 — Ensure Authorized Software is Currently Supported)
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication (CSF RS: Remove threat from environment, verify eradication)
NIST SI-2 (Flaw Remediation)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST CM-6 (Configuration Settings)
CIS 7.3 (Perform Automated Operating System Patch Management)
CIS 7.4 (Perform Automated Application Patch Management)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Before patching, create a file system hash baseline of the MOVEit Automation installation directory using: `Get-FileHash -Path 'C:\MOVEitTransfer\*' -Recurse -Algorithm SHA256 | Export-Csv pre_patch_hashes.csv`. After applying the Progress Software patch, re-run the same hash scan and diff against the pre-patch baseline to confirm only expected files changed: `Compare-Object (Import-Csv pre_patch_hashes.csv) (Import-Csv post_patch_hashes.csv) -Property Hash,Path`. This detects any attacker-placed webshells or modified binaries that persist post-patch. Verify the installed version matches the patched build number from the Progress Software April 2026 Security Alert Bulletin by checking `Add/Remove Programs` or the MOVEit application version endpoint before bringing the service back online. Note: the NVD URL for CVE-2026-4670 provided in the action step should be validated at access time — NVD entries for newly disclosed CVEs may not be fully populated immediately after disclosure.
Preserve Evidence
Before applying the patch, collect a memory dump of the MOVEit Automation worker process (`procdump -ma <moveit_worker_pid> moveit_predump.dmp` using Sysinternals ProcDump) to preserve evidence of any in-memory exploitation artifacts from CVE-2026-4670 or CVE-2026-5174. Capture a directory listing with timestamps of `C:\MOVEitTransfer\wwwroot\` and `C:\MOVEitTransfer\Automation\` to detect webshells or unauthorized script files that attackers commonly deploy following MOVEit-class exploitation — consistent with the CL0P ransomware group's 2023 MOVEit Transfer campaign TTPs (T1505.003 — Server Software Component: Web Shell). Document the pre-patch version number from the application.
4
Step 4: Recovery — After patching, rotate all MOVEit Automation service account credentials and API tokens. Audit automation workflows and file transfer configurations for unauthorized changes. Test that authentication controls are functioning correctly by attempting access with invalid credentials and confirming rejection. Monitor transfer logs for 30 days post-remediation. (Cite: NIST AC-2 — Account Management / NIST AC-3 — Access Enforcement / CIS 5.1 — Establish and Maintain an Inventory of Accounts / D3-CRO — Credential Rotation / D3-CH — Credential Hardening)
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery (CSF RC: Restore systems, verify integrity, communicate)
NIST IR-4 (Incident Handling)
NIST AC-2 (Account Management)
NIST IA-5 (Authenticator Management)
NIST AU-11 (Audit Record Retention)
CIS 5.1 (Establish and Maintain an Inventory of Accounts)
CIS 5.2 (Use Unique Passwords)
CIS 6.2 (Establish an Access Revoking Process)
Compensating Control
Enumerate all MOVEit Automation service accounts and API tokens by querying the application database: `SELECT Username, APIKey, LastLogin, CreatedBy FROM Users WHERE IsServiceAccount = 1` (adjust table/column names per Progress Software schema documentation for your version). For each token found, revoke and reissue via the MOVEit Automation admin interface before bringing transfer workflows back online. To validate authentication enforcement post-patch, use curl to confirm unauthenticated requests to the MOVEit Automation API are rejected: `curl -v -X GET https://<moveit_host>/api/v1/folders -H 'Accept: application/json'` — a properly patched instance must return HTTP 401, not 200. Set a 30-day cron job or Windows Scheduled Task to export MOVEit transfer logs daily: `schtasks /create /tn 'MOVEit Log Export' /tr 'xcopy C:\MOVEitTransfer\Logs\* D:\LogArchive\ /Y /D' /sc daily /st 02:00`.
Preserve Evidence
Before rotating credentials, export the full MOVEit Automation user and API token table with last-login timestamps to establish which accounts were active during the exploitation window — accounts with session activity during the CVE-2026-4670 bypass window that cannot be correlated to legitimate business transfers must be treated as potentially compromised. Audit the MOVEit Automation scheduled job and workflow configuration files (location per Progress Software documentation) for any entries created or modified during or after the exploitation window, as post-exploitation persistence via scheduled transfer jobs is a documented tactic (T1053 — Scheduled Task/Job) in prior MOVEit-targeting campaigns.
5
Step 5: Post-Incident — Assess whether MOVEit Automation management interfaces are unnecessarily internet-exposed and remediate. Verify MFA is enforced on all externally-exposed and administrative MOVEit access paths. Review least-privilege assignments for all service accounts with access to the platform. Document control gaps and remediation actions. (Cite: NIST AC-6 — Least Privilege / CIS 6.3 — Require MFA for Externally-Exposed Applications / CIS 6.5 — Require MFA for Administrative Access / CIS 5.4 — Restrict Administrator Privileges to Dedicated Administrator Accounts / D3-MFA — Multi-factor Authentication / D3-UAP — User Account Permissions)
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity (CSF GV, ID: Lessons learned, update policies, improve detection, share intelligence)
NIST IR-4 (Incident Handling)
NIST IR-8 (Incident Response Plan)
NIST RA-3 (Risk Assessment)
NIST SC-7 (Boundary Protection)
NIST SI-5 (Security Alerts, Advisories, and Directives)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 7.2 (Establish and Maintain a Remediation Process)
CIS 4.2 (Establish and Maintain a Secure Configuration Process for Network Infrastructure)
Compensating Control
Conduct an internet exposure audit of all MFT platforms (MOVEit Automation, MOVEit Transfer, and any third-party equivalents) using Shodan CLI (`shodan search 'MOVEit' org:<your_org_ASN>`) or Censys to identify management interfaces reachable from the public internet — this mirrors the reconnaissance methodology used by threat actors targeting MOVEit infrastructure. Document all findings in a gap register tied to NIST CSF PR.AC-5 (Network integrity is protected) and PR.PT-3 (Principle of least functionality), and schedule a formal risk acceptance or remediation decision within 30 days per NIST 800-61r3 §4 lessons-learned guidance. For PAM compensating controls without budget: implement Windows LAPS for MOVEit service account password rotation and restrict MOVEit admin console access to a dedicated jump host via Windows Firewall rules.
Preserve Evidence
Compile the full incident timeline from IIS access logs, MOVEit AuditLog database records, Windows Security Event Log, and firewall flow data for the period spanning first possible exploitation through containment — this timeline is required for regulatory breach notification decisions under HIPAA (if PHI transited MOVEit), PCI DSS (if payment data was in scope), or SEC incident disclosure rules if the organization is a public company. Retain all collected forensic artifacts per NIST AU-11 (Audit Record Retention) for a minimum period consistent with applicable regulatory requirements before any log rotation or evidence disposal.
Recovery Guidance
After patching both CVE-2026-4670 and CVE-2026-5174 and rotating all service account credentials and API tokens, validate authentication enforcement with unauthenticated API probe tests before restoring production transfer workflows. Given MOVEit's history as a primary target for CL0P and affiliated ransomware-as-a-service operators, maintain elevated monitoring of MOVEit Automation transfer logs, scheduled job configurations, and web-accessible directories for webshell artifacts for a minimum of 30 days post-remediation. Any anomalous outbound transfer volume, new scheduled jobs, or workflow modifications observed in the 30-day window should be treated as a potential persistent compromise and trigger re-imaging of the MOVEit Automation host.
Key Forensic Artifacts
MOVEit Automation application AuditLog database table (MSSQL or MySQL backend): query for session creation events with no associated credential validation record during the exploitation window — this is the primary forensic indicator of CVE-2026-4670 authentication bypass exploitation.
IIS access logs for the MOVEit Automation web application (default: C:\inetpub\logs\LogFiles\W3SVC*\): HTTP 200-OK responses to authentication or session endpoints from external IP addresses not present in the pre-incident baseline, particularly GET requests where POST (credential submission) would be expected.
Windows Security Event Log on the MOVEit Automation host: Event ID 4624 (Logon Success) with Logon Type 3 (Network) under the MOVEit service account context correlated with Event ID 4672 (Special Privileges Assigned) — the combination indicates potential CVE-2026-5174 privilege escalation post-bypass.
MOVEit Automation wwwroot and Automation script directories (paths per Progress Software documentation for deployed version): file system timestamps and hashes for any .aspx, .php, .jsp, or script files created or modified during or after the exploitation window, consistent with webshell deployment observed in prior MOVEit Transfer campaigns (T1505.003).
Network flow or firewall logs for the MOVEit Automation host: unusual outbound connection volume or connections to external IPs from the MOVEit service account process context, which would indicate data staging or exfiltration activity (T1048 — Exfiltration Over Alternative Protocol) consistent with ransomware operator pre-encryption data theft TTPs targeting MFT platforms.
Detection Guidance
Detection for CVE-2026-4670 must focus on authentication anomalies consistent with CWE-287 (Improper Authentication) and post-exploitation behavior mapped to T1078 (Valid Accounts) and T1190 (Exploit Public-Facing Application).
Per NIST AU-2 (Event Logging), ensure MOVEit Automation authentication events — successful logins, session initiations, and API access — are captured and forwarded to your SIEM.
Per NIST AU-3 (Content Of Audit Records), confirm each log entry records event type, timestamp, source IP, user identity, and outcome.
The primary detection signal is a successful authentication event not preceded by a valid credential submission event within the same session context; build a SIEM correlation rule to flag this pattern specifically. Per NIST AU-6 (Audit Record Review, Analysis, And Reporting), review these logs at increased frequency while the threat is active. Behavioral indicators include: authenticated sessions from external or unexpected IP ranges targeting administrative or API endpoints; service account activity during off-hours with no corresponding business process trigger; unexpected file transfers initiated post-authentication; new or modified scheduled jobs and automation workflows following a session event. At the network layer, watch for unexpected outbound connections from MOVEit Automation hosts — data exfiltration is the primary attacker objective given the platform's MFT role. Apply D3-LAM (Local Account Monitoring) to flag anomalous local account activity on the MOVEit host. Apply D3-SFA (System File Analysis) to detect modification of authentication configuration files or system executables. Per NIST AU-9 (Protection Of Audit Information), ensure audit logs are protected from modification and stored with capacity per NIST AU-4 (Audit Storage Capacity) to support at minimum 30-day post-incident review, consistent with NIST AU-11 (Audit Record Retention). Per CIS 8.2 (Collect Audit Logs), confirm logging is enabled across the MOVEit Automation deployment before assuming log completeness. No public IOCs (IPs, file hashes, domains) are confirmed in available data for active exploitation of CVE-2026-4670 at time of content generation. CISA KEV status: not listed as of data capture — monitor the CISA KEV catalog directly for status changes.
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
MITRE ATT&CK Hunting Queries (2)
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
Sentinel rule: Web application exploit patterns
KQL Query Preview
Read-only — detection query only
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceVendor has_any ("PaloAlto", "Fortinet", "F5", "Citrix")
| where Activity has_any ("attack", "exploit", "injection", "traversal", "overflow")
or RequestURL has_any ("../", "..\\\\", "<script", "UNION SELECT", "\${jndi:")
| project TimeGenerated, DeviceVendor, SourceIP, DestinationIP, RequestURL, Activity, LogSeverity
| sort by TimeGenerated desc
No actionable IOCs for CrowdStrike import (benign/contextual indicators excluded).
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
AC-2
AC-6
IA-2
IA-5
CA-8
RA-5
+5
6.3
6.4
6.5
7.3
7.4
8.2
+1
MITRE ATT&CK Mapping
T1078
Valid Accounts
defense-evasion
T1190
Exploit Public-Facing Application
initial-access
Guidance Disclaimer
