Skip to main content

MOVEit Automation CVE-2026-5174

| EUVDEUVD-2026-26390 HIGH
Improper Input Validation (CWE-20)
2026-04-30 ProgressSoftware
7.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
ENISA EUVD
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Patch released
May 04, 2026 - 16:47 nvd
Patch available
Patch available
Apr 30, 2026 - 17:02 EUVD
Analysis Generated
Apr 30, 2026 - 16:15 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 15:45 euvd
EUVD-2026-26390
Analysis Generated
Apr 30, 2026 - 15:45 vuln.today
CVE Published
Apr 30, 2026 - 15:07 nvd
HIGH 7.7

DescriptionCVE.org

Improper input validation vulnerability in Progress Software MOVEit Automation allows Privilege Escalation.

This issue affects MOVEit Automation: from 2025.1.0 before 2025.1.5, from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0.

AnalysisAI

Improper input validation in Progress MOVEit Automation enables authenticated low-privilege attackers to escalate privileges and cause high-impact denial of service across container boundaries. Affecting all versions prior to 2025.1.5, 2025.0.9, and 2024.1.8, this network-accessible vulnerability with low attack complexity allows attackers to disrupt availability system-wide. Progress issued a Critical Security Alert Bulletin addressing this issue alongside CVE-2026-4670 in their April 2026 advisory. No public exploit identified at time of analysis, but the straightforward attack path (AV:N/AC:L/PR:L) and Changed scope indicate significant real-world risk for organizations running unpatched instances.

Technical ContextAI

MOVEit Automation is Progress Software's managed file transfer (MFT) automation platform used for orchestrating secure file workflows across enterprise environments. This vulnerability stems from CWE-20 (Improper Input Validation), where the application fails to properly sanitize or validate user-supplied input data. The CVSS vector indicates scope change (S:C), meaning the vulnerable component affects resources beyond its security scope - suggesting the input validation flaw allows attackers to impact the underlying system or other tenants beyond their authorized access boundaries. The privilege escalation tag combined with the availability impact suggests attackers with low-level authenticated access can inject malicious input that triggers resource exhaustion, crashes, or service disruption affecting the broader MOVEit Automation environment. The affected CPE (cpe:2.3:a:progress_software:moveit_automation) covers all deployment architectures of the automation platform.

RemediationAI

Upgrade immediately to MOVEit Automation version 2025.1.5 (for 2025.1.x branch), version 2025.0.9 (for 2025.0.x branch), or version 2024.1.8 (for 2024.x branch) as specified in Progress's April 2026 Critical Security Alert Bulletin (https://community.progress.com/s/article/MOVEit-Automation-Critical-Security-Alert-Bulletin-April-2026-CVE-2026-4670-CVE-2026-5174). Organizations running versions prior to 2024.0.0 should prioritize upgrading to a supported patched release given the extended vulnerability exposure. If immediate patching is not feasible, implement compensating controls: restrict network access to MOVEit Automation interfaces using firewall rules or VPN requirements to limit exposure to trusted networks only (trade-off: may disrupt legitimate remote workflows), enforce strict user access reviews to minimize low-privilege account population (reduces potential attacker pool but requires administrative overhead), and enable comprehensive logging with monitoring for unusual authentication patterns or privilege escalation attempts (provides detection but not prevention). Review and reduce privileges for service accounts and user roles to minimum necessary permissions, as the vulnerability requires authenticated access (PR:L).

Share

CVE-2026-5174 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy