CVE-2026-5174 · Improper input validation vulnerability in Progress Software MOVEit Automation

01 · The Real Story

This is a master-key flaw that still requires you to already be inside the utility closet

CVE-2026-5174 is an improper input validation flaw in Progress MOVEit Automation that lets a remote attacker with low privileges elevate privileges through the product's service backend command port interfaces. Affected ranges are 2025.1.0 to before 2025.1.5, 2025.0.0 to before 2025.0.9, 2024.0.0 to before 2024.1.8, and all versions prior to 2024.0.0. In plain English: if someone can already authenticate to MOVEit Automation at a low level and talk to the vulnerable interface, they may be able to jump to much stronger control over the automation server and the credentials it brokers.

The vendor's HIGH 7.7 rating is technically defensible, but it overstates enterprise urgency when taken alone. The decisive friction is the same one the CVSS vector admits: PR:L. This is not a clean unauthenticated internet-to-admin break; it is a post-auth privilege escalation in a product with a relatively small exposed population, no known exploitation, no KEV listing, and no public exploit chain proving reliable weaponization with the companion auth bypass.

"Serious on a compromised MOVEit Automation box, but not a top-of-queue enterprise patch by itself."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Get a foothold in MOVEit Automation

The attacker first needs a valid low-privilege position in MOVEit Automation or a way to impersonate one. In practice that means stolen operator credentials, an insider account, or a separate bug such as the companion auth bypass CVE-2026-4670 used as the front door. Typical tooling would be a browser session, curl, or a custom HTTPS client against the admin/service interfaces.

Conditions required:

Attacker can reach the MOVEit Automation web or backend service interfaces over the network
Attacker has valid low-privilege credentials or a separate path to bypass authentication
Target is running a vulnerable MOVEit Automation build

Where this breaks in practice:

This step already assumes either credential theft or another vulnerability
MOVEit Automation is not deployed nearly as broadly as mainstream edge software
Many enterprises keep these systems internal or tightly allowlisted

Detection/coverage: Version-based asset inventory is more reliable than exploit-signature detection here. runZero published identification guidance; Tenable had a generic MOVEit issue entry rather than a mature exploit-specific plugin at disclosure.

STEP 02

Send crafted input to the backend command port interface

Once authenticated, the attacker targets the vulnerable backend command port path with malformed or unexpected input intended to bypass intended privilege boundaries. The public record does not expose exploit details, so weaponization likely requires reverse engineering the patched binaries or protocol behavior. Expected tooling is a custom script or protocol-aware client, not an off-the-shelf public exploit.

Conditions required:

Authenticated access reaches the affected backend command port interface
Interface is not blocked by host firewall or segmentation
Attacker understands enough of the protocol or request format to trigger the bug

Where this breaks in practice:

No public PoC was available at disclosure
Backend command interfaces are often less exposed than the main UI
Reverse engineering effort is non-trivial without vendor details

Detection/coverage: Network IDS coverage is likely weak unless a vendor or community signature emerges. Host logs around unexpected admin actions or service errors are the better hunting source.

STEP 03

Escalate to stronger privileges on the automation server

Successful exploitation appears to let the attacker break out of their low-privilege role and gain elevated control within MOVEit Automation. That can expose higher-value workflow configuration, connector secrets, and the ability to change or stop scheduled jobs. The likely effect in real environments is administrative control of the MFT automation plane rather than instant domain-wide compromise.

Conditions required:

The malformed input reaches vulnerable code paths
Target version is unpatched
The attack reliably maps to an authorization boundary the product enforces

Where this breaks in practice:

Impact is concentrated on the MOVEit Automation application tier
Administrative control over one MFT server is bad, but not automatically enterprise-wide
Some environments segregate service accounts and downstream connectors

Detection/coverage: Look for anomalous privilege changes, creation of new automation admins, modified tasks, changed connectors, and service restarts. EDR can catch follow-on abuse better than the exploit itself.

STEP 04

Abuse admin control for disruption or data access

With elevated control, the attacker can tamper with workflows, stop transfers, harvest stored credentials, or redirect file movement for data theft. The blast radius depends on what MOVEit Automation is connected to: SMB shares, SFTP endpoints, cloud storage, and line-of-business systems. This is where a seemingly local app flaw becomes a business-process incident.

Conditions required:

Elevated control within MOVEit Automation is achieved
High-value connectors, schedules, or secrets are present
Monitoring does not rapidly flag suspicious workflow changes

Where this breaks in practice:

Credential scope may be limited to specific transfer jobs rather than broad enterprise admin
Downstream systems may still require separate MFA, IP controls, or key material
Operational changes to automation jobs can be noisy and noticed quickly

Detection/coverage: Best detection is change monitoring on tasks/connectors plus secret-use anomalies on downstream systems. Existing file-transfer auditing often shows the follow-on misuse even if it misses the initial exploit.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public exploitation reported at disclosure; CISA ADP/Vulnrichment reflects `Exploitation: none`.
KEV status	Not in CISA KEV as of this assessment; there is no KEV due date attached.
PoC availability	No public PoC located. Censys explicitly said it had not seen a public proof of concept demonstrating chaining with the companion auth-bypass flaw.
EPSS	0.00117 from your intel, which is extremely low in practical prioritization terms; third-party mirrors also place it in a low percentile band.
CVSS vector	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H` — the key real-world word here is `PR:L`. This is a network-reachable bug, but not an unauthenticated edge smash.
Affected versions	2025.1.0 < 2025.1.5, 2025.0.0 < 2025.0.9, 2024.0.0 < 2024.1.8, and all versions before 2024.0.0.
Fixed versions	Upgrade to 2025.1.5, 2025.0.9, or 2024.1.8. Older unsupported branches need a supported-branch upgrade rather than a micro-fix.
Exposure data	External exposure looks limited but disputed: Censys observed fewer than 100 exposed MOVEit Automation web admin interfaces globally and argued some larger counts were inflated by non-unique fingerprints, while BleepingComputer cited a Shodan search claiming ~1,400 internet-exposed instances.
Disclosure date	2026-04-30.
Reporting researchers	The CNA record credits Airbus SecLab, Anaïs Gantet, Delphine Gourdou, Quentin Liddell, and Matteo Ricordeau.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.9/10)

The biggest downward pressure is simple: this requires authenticated low-privilege access or a separate front-door bug first. That makes CVE-2026-5174 a meaningful post-auth amplifier inside MOVEit Automation, not a standalone internet-scale emergency.

HIGH Affected version ranges and fixed versions

MEDIUM Exploitability assumptions without public technical write-up

MEDIUM External exposure sizing because Censys and Shodan-derived estimates diverge

Why this verdict

Start at vendor 7.7 HIGH because successful exploitation can hand over the MFT automation control plane and disrupt or expose sensitive file workflows
First downgrade: PR:L means post-auth. The attacker must already have a low-privileged MOVEit Automation foothold or chain another bug such as CVE-2026-4670, which narrows the reachable population sharply
Second downgrade: exposure is limited. Censys saw fewer than 100 exposed admin interfaces and explicitly warned that larger favicon-based counts overstate real internet reach
Third downgrade: no exploitation evidence. No KEV entry, no public PoC, and no reliable public exploit chain mean this is not behaving like an internet fire right now
Floor stays at MEDIUM because blast radius is still real. On a box that automates sensitive transfers, admin-level control can expose connector secrets, alter jobs, and interrupt business-critical data movement

Why not higher?

If this were unauthenticated remote, or if there were confirmed chaining with CVE-2026-4670 and active exploitation, this would jump fast. But today the attack path still depends on prior access and a product with a comparatively small exposed footprint.

Why not lower?

This is still a privilege-escalation flaw in a high-trust MFT orchestration product, not a cosmetic bug. A compromised MOVEit Automation server can become a springboard into file-transfer credentials, partner connections, and operational disruption, so dismissing it as LOW would understate the business impact.

05 · Compensating Control

What to do — in priority order.

Restrict interface reachability — Limit MOVEit Automation web and backend service access to admin jump hosts and approved management networks only. For a MEDIUM verdict there is no mitigation SLA; do this as normal hardening, then use the patch as the primary fix inside the 365-day remediation window.
Tighten low-privileged accounts — Audit all non-admin MOVEit Automation users, service operators, and stale access paths; remove unused accounts and force strong auth for the rest. This matters because the main exploit prerequisite is already having low privileges; with no mitigation SLA for MEDIUM, fold this into your next identity hygiene cycle while planning remediation.
Monitor workflow and connector changes — Alert on new admins, modified tasks, changed connectors, credential-store access, and unexpected job failures or pauses. That will not stop exploitation, but it shrinks dwell time if someone uses the bug after gaining access; again, no mitigation SLA for MEDIUM, so deploy as practical risk reduction.
Segment downstream transfer targets — Ensure the accounts and keys used by MOVEit Automation have only the minimum rights needed on SMB shares, SFTP destinations, cloud buckets, and partner endpoints. This limits follow-on blast radius if the product is taken over, and it can be implemented on normal change cadence because MEDIUM has no mitigation SLA.

What doesn't work

A WAF alone is not a dependable answer, because the flaw is described in backend command port interfaces, not just a simple web parameter you can reliably filter.
Perimeter scanning alone misses the core risk if the product is only reachable internally; this bug often matters after an attacker already has internal or authenticated access.
Generic CVSS prioritization overcalls urgency here; the decisive risk question is whether an attacker can realistically satisfy the PR:L prerequisite in your environment.

06 · Verification

Crowdsourced verification payload.

Run this on the target Windows host that has MOVEit Automation installed, from an elevated PowerShell prompt if possible so registry and program paths are fully readable. Example: powershell -ExecutionPolicy Bypass -File .\check-moveit-automation-cve-2026-5174.ps1; it needs local read access only and prints VULNERABLE, PATCHED, or UNKNOWN.

noisgate-verify.ps1

POWERSHELLREAD-ONLYSAFE

# check-moveit-automation-cve-2026-5174.ps1

# Detect likely vulnerability status for Progress MOVEit Automation on Windows.

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'SilentlyContinue'

function Get-UninstallEntries {
    $paths = @(
        'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
        'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'
    )
    foreach ($p in $paths) {
        Get-ItemProperty $p | Where-Object { $_.DisplayName -match 'MOVEit Automation' }
    }
}

function To-Version($s) {
    if ([string]::IsNullOrWhiteSpace($s)) { return $null }
    $clean = ($s -replace '[^0-9\.]','').Trim('.')
    try { return [version]$clean } catch { return $null }
}

function Test-VulnerableVersion($v) {
    if ($null -eq $v) { return $null }

    $v2024_0_0 = [version]'2024.0.0'
    $v2024_1_8 = [version]'2024.1.8'
    $v2025_0_0 = [version]'2025.0.0'
    $v2025_0_9 = [version]'2025.0.9'
    $v2025_1_0 = [version]'2025.1.0'
    $v2025_1_5 = [version]'2025.1.5'

    if ($v -lt $v2024_0_0) { return $true }
    if ($v -ge $v2024_0_0 -and $v -lt $v2024_1_8) { return $true }
    if ($v -ge $v2025_0_0 -and $v -lt $v2025_0_9) { return $true }
    if ($v -ge $v2025_1_0 -and $v -lt $v2025_1_5) { return $true }

    return $false
}

$entries = @(Get-UninstallEntries)
if (-not $entries -or $entries.Count -eq 0) {
    Write-Output 'UNKNOWN - MOVEit Automation uninstall entry not found'
    exit 2
}

$found = $false
foreach ($entry in $entries) {
    $displayName = $entry.DisplayName
    $displayVersion = $entry.DisplayVersion
    $version = To-Version $displayVersion

    if ($null -eq $version) {
        Write-Output ("UNKNOWN - Found '{0}' but could not parse version '{1}'" -f $displayName, $displayVersion)
        continue
    }

    $found = $true
    $isVuln = Test-VulnerableVersion $version

    if ($isVuln -eq $true) {
        Write-Output ("VULNERABLE - {0} version {1} matches CVE-2026-5174 affected ranges" -f $displayName, $version)
        exit 1
    }
    elseif ($isVuln -eq $false) {
        Write-Output ("PATCHED - {0} version {1} is outside known CVE-2026-5174 affected ranges" -f $displayName, $version)
        exit 0
    }
}

if (-not $found) {
    Write-Output 'UNKNOWN - MOVEit Automation found, but no parseable version detected'
    exit 2
}

Write-Output 'UNKNOWN - Detection completed without a definitive result'
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: treat CVE-2026-5174 as a post-auth MOVEit Automation hardening-and-patching item, not a full fleet fire drill unless you also expose the product broadly or believe low-priv credentials are already at risk. Because this verdict is MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window; use normal change control to reduce exposure and account sprawl, and complete the actual vendor upgrade within the noisgate remediation SLA of 365 days. If a given instance is internet-facing, houses high-value transfer credentials, or sits near third-party partner data flows, move that one forward in your queue even though the global enterprise verdict stays MEDIUM.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.