Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
6DescriptionCVE.org
Improper input validation vulnerability in Progress Software MOVEit Automation allows Privilege Escalation.
This issue affects MOVEit Automation: from 2025.1.0 before 2025.1.5, from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0.
AnalysisAI
Improper input validation in Progress MOVEit Automation enables authenticated low-privilege attackers to escalate privileges and cause high-impact denial of service across container boundaries. Affecting all versions prior to 2025.1.5, 2025.0.9, and 2024.1.8, this network-accessible vulnerability with low attack complexity allows attackers to disrupt availability system-wide. Progress issued a Critical Security Alert Bulletin addressing this issue alongside CVE-2026-4670 in their April 2026 advisory. No public exploit identified at time of analysis, but the straightforward attack path (AV:N/AC:L/PR:L) and Changed scope indicate significant real-world risk for organizations running unpatched instances.
Technical ContextAI
MOVEit Automation is Progress Software's managed file transfer (MFT) automation platform used for orchestrating secure file workflows across enterprise environments. This vulnerability stems from CWE-20 (Improper Input Validation), where the application fails to properly sanitize or validate user-supplied input data. The CVSS vector indicates scope change (S:C), meaning the vulnerable component affects resources beyond its security scope - suggesting the input validation flaw allows attackers to impact the underlying system or other tenants beyond their authorized access boundaries. The privilege escalation tag combined with the availability impact suggests attackers with low-level authenticated access can inject malicious input that triggers resource exhaustion, crashes, or service disruption affecting the broader MOVEit Automation environment. The affected CPE (cpe:2.3:a:progress_software:moveit_automation) covers all deployment architectures of the automation platform.
RemediationAI
Upgrade immediately to MOVEit Automation version 2025.1.5 (for 2025.1.x branch), version 2025.0.9 (for 2025.0.x branch), or version 2024.1.8 (for 2024.x branch) as specified in Progress's April 2026 Critical Security Alert Bulletin (https://community.progress.com/s/article/MOVEit-Automation-Critical-Security-Alert-Bulletin-April-2026-CVE-2026-4670-CVE-2026-5174). Organizations running versions prior to 2024.0.0 should prioritize upgrading to a supported patched release given the extended vulnerability exposure. If immediate patching is not feasible, implement compensating controls: restrict network access to MOVEit Automation interfaces using firewall rules or VPN requirements to limit exposure to trusted networks only (trade-off: may disrupt legitimate remote workflows), enforce strict user access reviews to minimize low-privilege account population (reduces potential attacker pool but requires administrative overhead), and enable comprehensive logging with monitoring for unusual authentication patterns or privilege escalation attempts (provides detection but not prevention). Review and reduce privileges for service accounts and user roles to minimum necessary permissions, as the vulnerability requires authenticated access (PR:L).
More in Moveit Automation
View allAuthentication bypass in Progress MOVEit Automation allows remote unauthenticated attackers to completely circumvent aut
The Progress MOVEit Automation configuration export function prior to 2024.0.0 uses a cryptographic method with insuffic
Incorrect default permissions in Progress Software MOVEit Automation expose embedded sensitive data to authenticated low
An issue was discovered in Progress MOVEit Automation Web Admin. Rated medium severity (CVSS 6.1), this vulnerability is
Uncontrolled memory allocation in Progress Software MOVEit Automation exposes the application to remote denial-of-servic
Unauthenticated remote flooding of Progress Software MOVEit Automation exploits a missing resource throttling control (C
Unauthenticated resource exhaustion in Progress Software MOVEit Automation enables a low-privileged remote attacker to d
Same weakness CWE-20 – Improper Input Validation
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26390