Critical Authentication Bypass Flaws Disclosed in Progress MOVEit Automation
Progress Software disclosed two critical vulnerabilities in MOVEit Automation, including CVE-2026-4670, an improper authentication flaw that can allow authentication bypass over the network without user interaction. The issue is rated critical with CVSS AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating potential for high-impact compromise of confidentiality, integrity, and availability. Progress linked the flaw to CWE-305 and included it in a security bulletin covering both CVE-2026-4670 and CVE-2026-5174.
The advisories affect multiple MOVEit Automation release branches, including versions prior to 2025.0.9, 2024.1.8, and releases before 2024.0.0, with broader vendor and government guidance also referencing affected builds such as 2025.1.4 and earlier, 2025.0.8 and earlier, 2024.1.7 and earlier, and 2024.0.0 and earlier. The Canadian Centre for Cyber Security urged organizations to review the Progress bulletin and apply the required updates to mitigate exposure in internet-reachable file transfer automation environments.
Timeline
Apr 30, 2026
Canadian Centre for Cyber Security urges users to apply Progress updates
The Canadian Centre for Cyber Security issued alert AV26-410 referencing Progress's advisories and urged users and administrators to review the vendor bulletin and apply the necessary updates for MOVEit Automation.
Apr 30, 2026
Progress publishes advisories and patches for MOVEit Automation flaws
Progress published security advisories for critical MOVEit Automation vulnerabilities including CVE-2026-4670 and CVE-2026-5174, identifying affected version branches and fixed releases. The advisories covered versions such as 2025.0.0 before 2025.0.9, 2024.0.0 before 2024.1.8, and prior branches, and directed customers to update.
Apr 30, 2026
Progress receives report of MOVEit Automation auth bypass flaw
Progress Software received a report at security@progress.com about CVE-2026-4670, an improper authentication vulnerability in MOVEit Automation described as an authentication bypass issue.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Progress MOVEit Transfer AS2 Module Vulnerability (CVE-2025-10932) Disclosure and Patching
Progress Software has disclosed and patched a high-severity vulnerability, tracked as CVE-2025-10932, affecting the AS2 module of MOVEit Transfer. The flaw impacts multiple versions, including MOVEit Transfer 2025.0.2 (17.0.2) and prior, 2024.1.6 (16.1.6) and prior, 2023.1.15 (15.1.15) and prior, as well as 2023.0 and 2024.0 and earlier releases. Security advisories urge users and administrators to review the official updates and apply necessary patches to mitigate the risk associated with this vulnerability. The Canadian Centre for Cyber Security has also issued an alert referencing the same vulnerability, emphasizing the importance of prompt remediation. No evidence of exploitation in the wild has been reported at this time, but the critical nature of the flaw and the widespread use of MOVEit Transfer in enterprise environments make timely patching essential to prevent potential compromise.
1 months ago
Progress LoadMaster API Flaws Enable Authenticated OS Command Injection
Progress disclosed two high-severity OS command injection vulnerabilities in its ADC product line, including **LoadMaster**, **ECS Connection Manager**, **Object Scale Connection Manager**, and **MOVEit WAF**. The issues, tracked as `CVE-2026-3517` and `CVE-2026-3519`, affect the API and can lead to remote code execution when authenticated administrators submit unsanitized input to specific commands. Both flaws are classified as `CWE-77` and carry a `CVSS v3.1` vector of `AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H`, indicating high impact across confidentiality, integrity, and availability. `CVE-2026-3517` allows an attacker with **Geo Administration** permissions to exploit the `addcountry` command, while `CVE-2026-3519` requires **VS Administration** permissions to abuse the `aclcontrol` command. In both cases, Progress said arbitrary commands could be executed through the vulnerable API, and the vendor published an advisory covering these and related CVEs. Organizations using affected appliances should prioritize reviewing administrative access and applying vendor guidance to reduce exposure to authenticated abuse paths.
1 weeks ago
January 2026 Patch Cycle Highlights Multiple High-Severity Vulnerabilities Across OpenStack, Microsoft Windows, and Progress Appliances
Multiple vendors issued fixes for **high-impact vulnerabilities** that could enable privilege escalation, tenant-wide compromise, security feature bypass, or remote code execution. OpenStack patched **CVE-2026-22797** in *keystonemiddleware* affecting deployments using `external_oauth2_token`, where failure to sanitize incoming identity headers allows authenticated users to forge headers (e.g., `X-Is-Admin-Project`, `X-Roles`, `X-User-Id`) to **escalate privileges or impersonate other users**; fixes were released across supported branches and the issue was reported by a Red Hat researcher. Microsoft patched **CVE-2026-20965** in *Windows Admin Center*’s Azure SSO (fixed in Azure Extension **v0.70.00**), where improper token validation could let an attacker with local admin on a WAC-enabled Azure VM/Arc machine combine a stolen `WAC.CheckAccess` token with a forged PoP token to enable **lateral movement and tenant-wide access** under certain conditions. Separately, Microsoft addressed **CVE-2026-20824** in *Windows Remote Assistance*, an **Important** security feature bypass that can allow attackers to evade **Mark of the Web (MOTW)** protections via social engineering. Progress Software also released patches for **CVE-2025-13444** and **CVE-2025-13447** (CVSS 8.4) affecting *LoadMaster* and *MOVEit WAF*, where crafted UI/API requests can trigger **command injection leading to remote code execution**; the vendor stated it had no evidence of in-the-wild exploitation at the time of release.
1 months ago