01 · The Real Story
This is a master key left near the loading dock, not a skeleton key to every building
CVE-2026-4670 is an unauthenticated authentication bypass in Progress MOVEit Automation, specifically tied to the product's *service backend command port interfaces*. Per the CNA/NVD record, it affects 2025.0.0 through 2025.0.8, 2024.0.0 through 2024.1.7, and versions prior to 2024.0.0; fixed builds are 2025.0.9 and 2024.1.8, while older unsupported branches must be upgraded onto a supported line.
The vendor's 9.8/CRITICAL score is technically fair for a reachable target: no auth, no user interaction, full impact. But for enterprise patch triage, reality bites harder than CVSS: MOVEit Automation is a niche MFT orchestrator, commonly placed on restricted admin networks, and Censys observed fewer than 100 exposed web admin interfaces globally as of May 5, 2026. That exposure friction, plus no KEV listing, no confirmed in-the-wild exploitation, and no public PoC at disclosure, pushes this down one bucket to HIGH for most fleets.
"Technically a 9.8, operationally a high-priority edge case unless your MOVEit Automation is internet-reachable."
02 · The Attack Path
4 steps from start to impact.
STEP 01
Find a reachable MOVEit Automation instance
An attacker starts with exposure discovery using internet telemetry or internal recon. Practical tooling here is
Censys, Shodan, nmap, or masscan to locate the admin surface or backend-reachable service and identify MOVEit Automation fingerprints. This is the biggest real-world gate: the bug is nasty only if the attacker can talk to the vulnerable interface.Conditions required:
- The target runs vulnerable MOVEit Automation
- The relevant admin/backend interface is reachable from the attacker's network position
- Fingerprinting is possible via web/admin responses or internal service discovery
Where this breaks in practice:
- MOVEit Automation is not deployed nearly as broadly as general web middleware
- Many enterprises keep it on internal server segments or behind VPN/jump-host access
- Censys reported fewer than 100 exposed admin interfaces globally, suggesting reachable population is limited
Detection/coverage: External ASM and exposure-management tools can usually find the web admin surface.
runZero published a service-inventory query for locating MOVEit Automation by HTML title, but version-level certainty still needs host-side validation.STEP 02
Bypass authentication over the network
With reachability established, the attacker uses a custom HTTP client or bespoke exploit traffic against the vulnerable backend command port interface. The flaw is classified as CWE-305 and requires no credentials or user interaction, so exploitation should be scriptable once protocol details are understood. CISA Vulnrichment-style triage cited by downstream advisories marks it as *automatable*, which matters because MFT products attract rapid offensive tooling once details leak.
Conditions required:
- Unauthenticated network access to the vulnerable interface
- A request path or protocol flow that reaches the vulnerable auth logic
- Sufficient product fingerprinting to tailor exploit traffic
Where this breaks in practice:
- No public PoC was known as of May 5, 2026
- The vulnerable surface is described as backend command-port related, not a mass-market commodity endpoint
- WAFs or reverse proxies may not sit in front of the exact interface attackers need
Detection/coverage: Signature coverage is immature early in the disclosure cycle. Expect best-effort detection from HTTP telemetry, anomalous admin-session creation, and auth-path requests that do not map to normal operator behavior.
STEP 03
Take over automation workflows and secrets
Successful bypass yields unauthorized access to the orchestration plane that manages file-transfer jobs, schedules, partner endpoints, and embedded credentials. On a product like MOVEit Automation, the operational blast radius is often larger than the host itself because the server commonly stores SFTP, FTPS, cloud, SMB, and partner-integration secrets. Even without OS-level code execution, control of workflows can expose sensitive files and downstream trust paths.
Conditions required:
- The compromised account context can administer or inspect workflows
- The instance stores reusable credentials, keys, or partner connection details
- Business data or integration endpoints are attached to the platform
Where this breaks in practice:
- Impact is concentrated around the MOVEit Automation trust zone, not every host in the enterprise
- Some shops separate secrets, limit task permissions, or segment partner endpoints
- If the node is purely internal and tightly monitored, follow-on action may be noisy
Detection/coverage: Look for unexpected task edits, new schedules, changed destinations, credential exports, or unusual use of service accounts managed by MOVEit Automation. EDR helps more on follow-on abuse than on the bypass itself.
STEP 04
Pivot through trusted integrations
The final step is operational abuse: exfiltrate scheduled data, harvest partner credentials, or use trusted file-transfer channels to move laterally into connected environments. Attackers may also chain the companion CVE-2026-5174 if they start with limited in-product access and want stronger control. This is why the product class matters: MFT tooling often sits in the middle of sensitive business flows.
Conditions required:
- The instance has access to partner systems, shares, cloud storage, or internal data repositories
- Stored secrets are reusable beyond the local application
- Outbound connectivity from the server is allowed
Where this breaks in practice:
- Lateral movement still depends on what that specific automation node is trusted to reach
- Well-scoped service accounts and segmented egress materially limit blast radius
- This is not automatic domain compromise; the attacker must work with whatever the appliance actually touches
Detection/coverage: Monitor for abnormal outbound transfers, first-time destinations, anomalous use of MOVEit-managed credentials, and changes in scheduled-job behavior. Network egress controls and service-account analytics are the best choke points here.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No confirmed exploitation was reported by Progress-adjacent reporting as of May 4-5, 2026; Censys explicitly said it had not seen active exploitation at disclosure. |
|---|---|
| KEV status | Not KEV-listed in disclosure-week reporting. This matches the absence of any public CISA exploitation callout in the sources reviewed. |
| PoC availability | No public PoC known as of May 5, 2026, per Censys. That lowers immediate mass-exploitation pressure, though auth bypasses in MFT products tend to attract fast reverse engineering. |
| EPSS | 0.00209 probability (0.209%, about 40.3rd percentile in Feedly/FIRST-linked reporting). Translation: lower short-term exploit-likelihood than the CVSS headline suggests. |
| CVSS vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — worst-case pre-auth network shape, but CVSS assumes reachability and says nothing about how many enterprises actually expose the product. |
| Affected versions | CNA/NVD says 2025.0.0-2025.0.8, 2024.0.0-2024.1.7, and all versions prior to 2024.0.0 are affected by CVE-2026-4670. |
| Fixed versions | Move to 2025.0.9 or 2024.1.8 for this CVE; older unsupported releases must upgrade to a supported branch. 2025.1.5 appears in the same bulletin because it fixes the companion CVE-2026-5174. |
| Exposure data | There is a major sizing dispute: Censys observed <100 exposed web admin interfaces globally, while BleepingComputer cited a Shodan search claiming >1,400 exposed instances based on shared-favicon hunting. I trust the lower figure more because Censys explains the favicon collision problem. |
| Disclosure timeline | Publicly disclosed 2026-04-30 by Progress; secondary reporting and government notices followed on 2026-05-04 and 2026-05-05. |
| Reporter / discoverer | Secondary reporting credits Airbus SecLab researchers for the disclosure. Treat that as well-sourced but indirect until the vendor advisory itself exposes formal credits. |
04 · The Call
noisgate verdict.
Final Verdict
↓ DOWNGRADED to HIGH (8.2/10)
The decisive factor is reachable population: this is a brutal bug on a reachable MOVEit Automation node, but most enterprises do not expose that product the way CVSS assumes. Pre-auth network exploitation keeps it urgent, yet the combination of niche deployment, likely restricted placement, and no active-exploitation signal makes HIGH the right fleet-scale bucket rather than CRITICAL.
HIGH Version ranges and vendor/CNA severity metadata
MEDIUM Exposure sizing and internet-reachability assumptions across enterprise deployments
MEDIUM Absence of public PoC or active exploitation as of disclosure-week reporting
Why this verdict
- Pre-auth remote is real: vendor CVSS 9.8 is not inflated from a pure exploitability standpoint; no auth and no user interaction always deserve attention.
- Attacker position usually collapses from internet to internal/VPN: the flaw needs network access to a MOVEit Automation interface, and many real deployments keep that surface off the public internet. That is a concrete downward adjustment from the baseline.
- Exposure population looks narrow: Censys saw <100 exposed admin interfaces globally on May 5, 2026 and specifically warned that higher counts from favicon-only searches were inflated. Narrow population means narrower operational risk than a commodity edge service.
- No field exploitation signal yet: not KEV-listed, no confirmed active exploitation in the reviewed sources, and no public PoC at disclosure. That removes the biggest amplifier that would otherwise keep this in CRITICAL.
- Blast radius is integration-heavy, not universal: compromise can be serious because MFT orchestration stores secrets and partner trust, but the damage is bounded by what that specific MOVEit Automation node can reach.
Why not higher?
I am not keeping this at CRITICAL because the attack chain has one giant real-world choke point: reachability. A pre-auth auth bypass on a product that is commonly internal, operationally niche, and observed with a relatively small exposed population is not the same enterprise-wide emergency as a mass-exposed VPN, firewall, or email gateway zero-day. The lack of KEV status, public exploit code, or confirmed campaigns further argues against the top bucket.
Why not lower?
I am not pushing this to MEDIUM because once the interface is reachable, the bug is ugly: unauthenticated, low-complexity, high-impact compromise of a system that often holds sensitive automation credentials. Even a limited exposed population is enough to make this a serious priority for any organization running the product, especially if partner-facing or externally reachable.
05 · Compensating Control
What to do — in priority order.
- Restrict exposure now — Put the MOVEit Automation admin/backend interfaces behind VPN, jump-host, or source-IP allowlisting and remove direct internet reachability. For a HIGH verdict, deploy this within 30 days; if the instance is already internet-facing, do it on an emergency basis because this is the main friction point holding the score down.
- Tighten east-west access — Limit which internal subnets can reach the server and especially any backend command or admin ports. This cuts off post-initial-access abuse from a compromised workstation or VPN account; deploy within 30 days.
- Hunt for workflow abuse — Review recent task edits, new schedules, changed destinations, and unusual use of service accounts or stored transfer credentials. This does not prevent exploitation, but it is your fastest way to catch abuse of the orchestration plane; stand this up within 30 days.
- Constrain service account blast radius — Reduce permissions on accounts and secrets used by MOVEit Automation jobs, and validate outbound destinations. If the product is compromised, least privilege is what stops the incident from becoming partner-wide data loss; complete within 30 days.
- Inventory every instance — Use CMDB, software inventory, and network discovery to identify all MOVEit Automation nodes and whether they are on vulnerable branches. You cannot prioritize exposure reduction if you still do not know where the schedulers live; finish the inventory within 30 days.
What doesn't work
- MFA on the web admin alone does not fix a pre-authentication bypass in the backend auth path; the flaw is about getting around the front door.
- EDR by itself is not a compensating control for the initial exploit. It may catch follow-on tooling, but it does not remove the vulnerable network surface.
- Favicon-only internet searches are not reliable exposure measurement here; Censys notes the shared favicon inflates counts by more than an order of magnitude.
06 · Verification
Crowdsourced verification payload.
Run this on the target Windows host that has MOVEit Automation installed, from an elevated PowerShell session. Example: powershell -ExecutionPolicy Bypass -File .\check-moveit-automation-cve-2026-4670.ps1; it needs local admin only to ensure registry access across standard uninstall paths.
# check-moveit-automation-cve-2026-4670.ps1
# Purpose: Determine whether a Windows host appears vulnerable to CVE-2026-4670 in Progress MOVEit Automation.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN
[CmdletBinding()]
param()
$ErrorActionPreference = 'Stop'
function Get-MoveItAutomationInstall {
$paths = @(
'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'
)
$hits = foreach ($p in $paths) {
Get-ItemProperty -Path $p -ErrorAction SilentlyContinue | Where-Object {
$_.DisplayName -match 'MOVEit Automation'
} | Select-Object DisplayName, DisplayVersion, InstallLocation, Publisher
}
return $hits | Select-Object -First 1
}
function Parse-Version {
param([string]$VersionString)
if ([string]::IsNullOrWhiteSpace($VersionString)) {
return $null
}
# Keep only numeric dot-separated prefix, e.g. 17.0.8 from "17.0.8" or "17.0.8 build xyz"
if ($VersionString -match '([0-9]+(?:\.[0-9]+){1,3})') {
try {
return [version]$matches[1]
} catch {
return $null
}
}
return $null
}
function Test-CVE20264670 {
param([version]$v)
if (-not $v) {
return @{ State = 'UNKNOWN'; Reason = 'Unable to parse installed version.' }
}
# Version mapping from vendor/CNA and runZero reporting:
# 2024.1.7 == 16.1.7 (fixed in 16.1.8 / 2024.1.8)
# 2025.0.8 == 17.0.8 (fixed in 17.0.9 / 2025.0.9)
# 2025.1.x corresponds to 17.1.x and is not listed as affected for CVE-2026-4670 by the CNA record.
$fixed2024 = [version]'16.1.8'
$fixed2025 = [version]'17.0.9'
$branch171 = [version]'17.1.0'
if ($v -lt [version]'16.0.0') {
return @{ State = 'VULNERABLE'; Reason = 'Unsupported pre-2024 branch is considered affected; upgrade to a supported fixed branch.' }
}
if ($v -ge [version]'16.0.0' -and $v -lt $fixed2024) {
return @{ State = 'VULNERABLE'; Reason = '2024.x branch before 2024.1.8 / 16.1.8.' }
}
if ($v -ge [version]'17.0.0' -and $v -lt $fixed2025) {
return @{ State = 'VULNERABLE'; Reason = '2025.0.x branch before 2025.0.9 / 17.0.9.' }
}
if ($v -ge $branch171) {
return @{ State = 'PATCHED'; Reason = '17.1.x is not listed as affected for CVE-2026-4670 in the CNA/NVD record.' }
}
if ($v -ge $fixed2024 -and $v -lt [version]'17.0.0') {
return @{ State = 'PATCHED'; Reason = '2024.x branch at or above 2024.1.8 / 16.1.8.' }
}
if ($v -ge $fixed2025 -and $v -lt $branch171) {
return @{ State = 'PATCHED'; Reason = '2025.0.x branch at or above 2025.0.9 / 17.0.9.' }
}
return @{ State = 'UNKNOWN'; Reason = 'Version fell outside expected mapping; verify against vendor release notes.' }
}
try {
$app = Get-MoveItAutomationInstall
if (-not $app) {
Write-Output 'UNKNOWN - MOVEit Automation not found in standard uninstall registry locations.'
exit 2
}
$parsed = Parse-Version -VersionString $app.DisplayVersion
$result = Test-CVE20264670 -v $parsed
$msg = '{0} - {1}; Product="{2}" Version="{3}" InstallLocation="{4}"' -f $result.State, $result.Reason, $app.DisplayName, $app.DisplayVersion, $app.InstallLocation
Write-Output $msg
switch ($result.State) {
'PATCHED' { exit 0 }
'VULNERABLE' { exit 1 }
default { exit 2 }
}
}
catch {
Write-Output ('UNKNOWN - Error during verification: ' + $_.Exception.Message)
exit 2
}
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning: first, identify every MOVEit Automation node and separate internet-reachable / partner-reachable instances from internal-only ones. For this HIGH verdict, the noisgate mitigation SLA is within 30 days: remove direct exposure, restrict source networks, and tighten service-account blast radius; there is no evidence-based reason to leave reachable instances hanging out on the edge. The noisgate remediation SLA is within 180 days for the actual upgrade to 2025.0.9 or 2024.1.8 (or a supported newer branch), but any internet-facing instance should be treated as an exception and patched on the front half of that window, not the back.
Sources
- NVD CVE-2026-4670
- Progress MOVEit Automation Critical Security Alert Bulletin – April 2026
- Censys advisory on CVE-2026-4670
- runZero: Find impacted MOVEit Automation assets
- BleepingComputer coverage of Progress warning
- Canadian Centre for Cyber Security AV26-410
- CCB Belgium advisory on CVE-2026-4670
- PwnDefend note on exposure and exploitability
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.