**Progress Software** has addressed two security flaws in **MOVEit Automation**, a managed file transfer (MFT) solution commonly used in enterprise environments. ### Vulnerability Details The vulnerabilities are: * **CVE-2026-4670** (CVSS score: 9.8): An authentication bypass vulnerability. * **CVE-2026-5174** (CVSS score: 7.7): An improper input validation vulnerability that could allow privilege escalation. According to **Progress Software**'s advisory, these flaws "may allow authentication bypass and privilege escalation through the service backend command port interfaces," potentially leading to "unauthorized access, administrative control, and data exposure." ### Affected Versions The following versions are affected and should be upgraded: * MOVEit Automation <= 2025.1.4 (Fixed in MOVEit Automation 2025.1.5) * MOVEit Automation <= 2025.0.8 (Fixed in MOVEit Automation 2025.0.9) * MOVEit Automation <= 2024.1.7 (Fixed in MOVEit Automation 2024.1.8) ### Discovery and Mitigation Researchers Anaïs Gantet, Delphine Gourdou, Quentin Liddell, and Matteo Ricordeau from **Airbus SecLab** are credited with discovering and reporting the vulnerabilities. There are no known workarounds besides applying the provided patches. Given the history of **MOVEit Transfer** vulnerabilities being exploited by ransomware groups like Cl0p, immediate patching is strongly recommended.