Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Authentication bypass by primary weakness vulnerability in Progress Software MOVEit Automation allows Authentication Bypass.
This issue affects MOVEit Automation: from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0.
AnalysisAI
Authentication bypass in Progress MOVEit Automation allows remote unauthenticated attackers to completely circumvent authentication controls and gain unauthorized access with high impact to confidentiality, integrity, and availability. Affects all versions before 2025.0.9, all 2024.x versions before 2024.1.8, and all versions prior to 2024.0.0. Progress Software has released patches for all supported versions. CVSS 9.8 critical severity with network-accessible, low-complexity exploitation requiring no privileges or user interaction. No public exploit or active exploitation confirmed at time of analysis, though the authentication bypass nature and MOVEit's history as a high-value target make this a priority remediation candidate.
Technical ContextAI
This vulnerability stems from CWE-305 (Authentication Bypass by Primary Weakness), indicating a fundamental flaw in the authentication mechanism itself rather than a secondary bypass technique. MOVEit Automation is an enterprise managed file transfer (MFT) solution that handles sensitive data transfers and workflow automation across organizations. Authentication bypass vulnerabilities in MFT platforms are particularly severe because these systems typically store and process confidential business documents, personally identifiable information, and regulated data. The affected CPE (cpe:2.3:a:progress_software:moveit_automation) indicates this is a product-level vulnerability affecting the core MOVEit Automation application across multiple version branches. The CWE-305 classification suggests the authentication system's primary validation logic can be circumvented, potentially through credential handling flaws, session management issues, or logic errors in the authentication workflow that allow attackers to gain authenticated access without valid credentials.
RemediationAI
Immediately upgrade to patched versions: MOVEit Automation 2025.0.9 for the 2025.x branch, or MOVEit Automation 2024.1.8 for the 2024.x branch. Organizations running versions prior to 2024.0.0 should consult the Progress Software advisory at https://community.progress.com/s/article/MOVEit-Automation-Critical-Security-Alert-Bulletin-April-2026-CVE-2026-4670-CVE-2026-5174 for specific upgrade paths, as these legacy versions may require multi-step upgrades or extended support contracts. If immediate patching is not feasible, implement network-level compensating controls by restricting MOVEit Automation access to trusted IP ranges through firewall rules or VPN requirements, though this significantly reduces the platform's usability for external file transfer workflows and does not protect against internal threats. Disable any unused authentication methods or API endpoints if supported by the platform configuration. Monitor authentication logs for anomalous successful logins, failed authentication attempts followed by immediate success, or access from unexpected geographic locations or IP addresses, though sophisticated exploitation may not generate obvious log signatures. These compensating controls are temporary measures only-the authentication bypass nature means determined attackers can achieve full access, making patching the only reliable mitigation.
More in Moveit Automation
View allImproper input validation in Progress MOVEit Automation enables authenticated low-privilege attackers to escalate privil
The Progress MOVEit Automation configuration export function prior to 2024.0.0 uses a cryptographic method with insuffic
Incorrect default permissions in Progress Software MOVEit Automation expose embedded sensitive data to authenticated low
An issue was discovered in Progress MOVEit Automation Web Admin. Rated medium severity (CVSS 6.1), this vulnerability is
Uncontrolled memory allocation in Progress Software MOVEit Automation exposes the application to remote denial-of-servic
Unauthenticated remote flooding of Progress Software MOVEit Automation exploits a missing resource throttling control (C
Unauthenticated resource exhaustion in Progress Software MOVEit Automation enables a low-privileged remote attacker to d
Same weakness CWE-305 – Authentication Bypass by Primary Weakness
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26389