What Happened
Progress Software disclosed two vulnerabilities in MOVEit Automation on May 4, 2026. The first, CVE-2026-4670, is a CVSS 9.8 authentication bypass in the product’s service backend command port interface. The second, CVE-2026-5174, is a privilege escalation flaw with a CVSS score of 7.7. Used together, the two bugs allow an unauthenticated remote attacker to gain full administrative control of a MOVEit Automation instance.
Affected versions span three release branches: 2025.1.4 and earlier, 2025.0.8 and earlier, and 2024.1.7 and earlier. Fixes are available in versions 2025.1.5, 2025.0.9, and 2024.1.8. The vulnerabilities were reported privately by researchers at Airbus, and Progress has stated no active exploitation has been detected. However, MOVEit Automation’s role in enterprise file transfer workflows makes it a high-priority patching target regardless.
The backend command port interface affected by CVE-2026-4670 is not designed to be exposed to the internet, but network misconfigurations frequently leave it accessible. Attackers with network access to the port can bypass authentication entirely and gain administrative privileges.
Why This Matters for Canadian Organizations
MOVEit has a specific and well-documented history in Canada. In 2023, the Clop ransomware group’s mass exploitation of MOVEit Transfer CVE-2023-34362 hit the Government of Nova Scotia directly, exposing data on approximately 100,000 current and former provincial employees. The same campaign struck the University of Calgary, Toronto Metropolitan University, and multiple Canadian financial institutions. MOVEit Transfer and MOVEit Automation are widely deployed in Canadian healthcare, government, finance, and managed services environments precisely because they are designed to meet regulated data transfer requirements under PIPEDA and provincial privacy legislation.
An unauthenticated attacker with administrative control of MOVEit Automation can read, modify, and exfiltrate every file transfer workflow configured in the product — including scheduled transfers of sensitive data between internal systems and external partners. In regulated sectors, this represents a potential PIPEDA breach notification obligation and, for federal government contractors, an obligation under Treasury Board security policies.
Canadian organizations using MOVEit Automation in supply chain file transfer workflows face additional exposure: a compromised MOVEit Automation instance gives attackers visibility into the file transfer relationships and credentials of every trading partner connected to it.
What to Do
Upgrade MOVEit Automation to the patched version for your release branch: 2025.1.5, 2025.0.9, or 2024.1.8. Patching requires running the full installer and accepts a brief service outage. Review network access controls on the MOVEit Automation backend command port and confirm it is not publicly accessible. Audit automation job logs for any anomalous administrative activity, particularly from unexpected source addresses.
If you are a Canadian organization using a third-party managed file transfer service built on MOVEit Automation, contact your provider to confirm patch status and request written confirmation. Document that confirmation for PIPEDA accountability purposes.
For full vulnerability details, see The Hacker News and Help Net Security.
