If your organization runs MOVEit Automation, stop what you are doing right now. A critical MOVEit authentication bypass vulnerability tracked as CVE-2026-4670 was publicly confirmed on May 4, 2026, carrying a CVSS score of 9.8 — the highest possible severity rating. Progress Software, the company behind MOVEit, confirmed that unauthenticated attackers can exploit this flaw to completely bypass login, gain full administrative control, and access or redirect sensitive file transfers without ever entering a password. This is not a theoretical risk. Active exploitation is already underway, and your window to patch safely is closing by the hour.
This guide covers exactly what CVE-2026-4670 does, which MOVEit versions are at risk, and the precise steps your IT team must take to patch and harden your environment before ransomware operators weaponize this bug at scale.
What Is CVE-2026-4670? The MOVEit Authentication Bypass Explained
CVE-2026-4670 is a pre-authentication remote exploit in MOVEit Automation, also known as MOVEit Central — the enterprise-grade managed file transfer (MFT) solution used by thousands of organizations to schedule, automate, and secure automated file movement workflows. A companion vulnerability, CVE-2026-5174 (CVSS 7.7), was patched alongside it and enables privilege escalation through improper input validation on the MOVEit backend command port interface.
In plain terms, CVE-2026-4670 allows the following attack sequence:
- An unauthenticated attacker sends a specially crafted request to the MOVEit Automation service backend command port from the network
- MOVEit processes the request before any authentication logic executes
- The attacker gains full administrative access — including read and write permissions, schedule manipulation, and the ability to silently redirect automated file transfers to attacker-controlled destinations
Progress Software’s own advisory makes the impact unambiguous: the vulnerabilities “may allow authentication bypass and privilege escalation through the service backend command port interfaces,” and “exploitation may lead to unauthorized access, administrative control, and data exposure.”
For enterprise IT teams, this is a critical distinction. MOVEit Automation is not simply a file storage tool. It is used across healthcare, finance, government, and logistics to move millions of regulated records on automated schedules — HIPAA files, financial reports, payroll batches, legal documents, and partner data exchanges. Administrative control of MOVEit Automation is, therefore, a direct pipeline into an organization’s most sensitive automated data flows.
Which MOVEit Automation Versions Are Affected by CVE-2026-4670?
CVE-2026-4670 impacts all MOVEit Automation (Central) versions prior to the emergency patch released on May 4, 2026. The following deployment scenarios are confirmed vulnerable:
- MOVEit Automation 2024.x — all builds before the May 4, 2026 security release
- MOVEit Automation 2023.x — all builds before the May 4, 2026 security release
- MOVEit Automation 2022.x and earlier — end-of-life, no patch available; immediate upgrade is required
Additionally, because CVE-2026-5174 affects the same version range, attackers can chain both vulnerabilities in a single attack. An unauthenticated session established via the CVE-2026-4670 bypass is immediately escalatable to root-equivalent administrative control via CVE-2026-5174 — effectively a two-step complete takeover requiring no credentials whatsoever.
“CVE-2026-4670 in MOVEit Automation may allow authentication bypass and privilege escalation through the service backend command port interfaces. Exploitation may lead to unauthorized access, administrative control, and data exposure.” — Progress Software Security Advisory, May 2026
Why the MOVEit Authentication Bypass Is Especially Dangerous in 2026
Many IT professionals will immediately recognize the MOVEit name from 2023. That year, the Cl0p ransomware group exploited a critical SQL injection flaw in the related MOVEit Transfer product, ultimately compromising over 2,500 organizations and exposing more than 66 million individuals’ data globally. The resulting regulatory fines, legal costs, and remediation expenses pushed total damages past an estimated $12 billion — making it one of the most costly supply chain attacks ever recorded.
CVE-2026-4670 in MOVEit Automation follows the same high-risk threat model, with several factors that make it arguably more dangerous than the 2023 incident:
It requires zero credentials. There is no phishing prerequisite, no brute force, and no need for a prior foothold inside the network. A single crafted request is sufficient.
It targets the automation layer, not just file storage. An attacker with administrative control of MOVEit Automation can silently modify scheduled transfer jobs, redirect outbound files to exfiltration servers, and insert malicious payloads into automated workflows — all without triggering the file-level alerts that most organizations monitor.
MOVEit Automation instances are frequently internet-facing. They are designed to connect with external partners, and many deployments expose the admin interface to broad network ranges for operational convenience — a configuration that becomes catastrophic when a pre-authentication bypass is available.
Furthermore, this vulnerability arrives during a week when government-affiliated hackers were already observed exploiting the critical cPanel CVE-2026-41940 flaw to target MSPs and government agencies across Southeast Asia, the Philippines, and Laos. The broader 2026 threat pattern is consistent: pre-authentication, network-reachable vulnerabilities in perimeter software are being weaponized within hours of public disclosure — and in some cases well before disclosure. You can read about how that pattern is emerging in the SonicWall and Fortinet Firewall Attacks 2026 breakdown on this blog.
How to Patch CVE-2026-4670 in MOVEit Automation: Complete Step-by-Step Guide
Patching CVE-2026-4670 is not optional and not deferrable. Every hour of delay on a CVSS 9.8 pre-authentication bypass is an hour of live exposure. Follow these steps in exact sequence.
Step 1: Confirm Your MOVEit Automation Version
Log in to your MOVEit Automation administrative console and navigate to Help > About. Record the complete build number. Cross-reference that number against the official Progress Software security bulletin published May 4, 2026, to confirm whether your specific build includes the patch.
Step 2: Download the Patch Exclusively from Progress Software
Access the official Progress Software MySupport Portal using your licensed credentials. Download the security update package specific to your MOVEit Automation branch — separate packages were released for the 2024.x and 2023.x branches. Never apply patches sourced from third-party repositories or community forums, especially for a vulnerability of this severity.
Step 3: Block the Backend Command Port at the Firewall — Before You Patch
This step is the most important emergency action you can take before the patch is applied. Immediately implement a firewall access control rule that restricts external and untrusted internal access to the MOVEit Automation service backend command port. The exact port number is listed in your MOVEit service configuration file. Blocking this port at the network perimeter prevents CVE-2026-4670 exploitation entirely, even on unpatched systems, by eliminating network reachability to the vulnerable interface.
This is precisely where enterprise-grade perimeter firewall protection becomes decisive. Organizations running Fortinet FortiGate or SonicWall firewalls can deploy emergency ACL rules within minutes to restrict the attack surface while patching is prepared. If your current firewall lacks the management capabilities to push rapid policy changes in response to emerging CVEs, that is a gap worth addressing immediately — the 2026 threat landscape demands sub-hour policy response capability.
Step 4: Apply the Patch During an Expedited Maintenance Window
Schedule a maintenance window as short as operationally feasible. The security update requires a MOVEit service restart but does not mandate a full server reboot in most configurations. If a staging environment is available, test the patch there first — but given active exploitation in the wild, production patching should occur within 24 hours of staging validation. Waiting for the next scheduled quarterly maintenance window is not a defensible decision for a CVSS 9.8 pre-auth bypass.
Step 5: Rotate All MOVEit Service Account Credentials and API Keys
Treat every day between May 4, 2026 and your patch application date as a potential compromise window for your MOVEit environment. After patching, immediately rotate the following:
- All MOVEit Automation service account passwords
- Database connection strings used by MOVEit Automation
- API keys and tokens for SFTP, S3, Azure Blob, and partner integration endpoints
- Administrative user passwords for the MOVEit console
If your organization uses single sign-on (SSO) integration with MOVEit Automation, coordinate with your identity provider to review all active sessions and revoke tokens issued during the exposure window.
Step 6: Conduct a Forensic Review of MOVEit Audit Logs
After patching, run a thorough review of MOVEit Automation audit logs covering at least the past 30 days — ideally 60 days, given that some 2026 CVEs were exploited weeks before public disclosure. Specifically look for:
- Authentication events originating from unexpected or foreign IP addresses
- Schedule modifications that do not correspond to documented change requests
- New transfer destinations or partner accounts created outside your change management process
- File transfers to external endpoints not present in your approved partner list
- Any account creation or permission elevation events in the audit trail
Threat intelligence providers including Securonix, Rapid7, and CISA have published CVE-2026-4670 indicators of compromise (IOCs). Cross-reference your log data against those IOCs to determine whether your environment was accessed during the exposure window.
Step 7: Enable Multi-Factor Authentication on the MOVEit Admin Console
MOVEit Automation supports MFA for its administrative console. If MFA is not currently enforced, enable it as part of this remediation process. MFA does not prevent CVE-2026-4670 exploitation — because the authentication bypass operates before MFA logic is reached — but it provides essential defense-in-depth against every other credential-based attack vector targeting your MOVEit deployment going forward.
How to Harden Your MOVEit Environment Beyond the Patch
Applying the patch removes the immediate CVE-2026-4670 exposure. However, the 2023 MOVEit incident clearly demonstrated that patching alone is insufficient when the surrounding network controls are absent. The following hardening measures are critical for sustained protection.
Network Segmentation: Your Most Effective Structural Defense
MOVEit Automation servers should never be directly reachable from the public internet or from all internal subnets without restriction. The correct architecture places MOVEit servers in a dedicated DMZ or restricted server segment enforced by a next-generation firewall. Only explicitly approved source IPs — SFTP partners, internal file transfer agents, and authorized administrator workstations — should have any access to MOVEit ports.
Organizations that have not yet implemented proper network segmentation should evaluate managed network switches with VLAN support from HPE Aruba or Cisco paired with a next-generation firewall capable of enforcing inter-VLAN access control policies. Proper segmentation is what limits the blast radius of a successful exploit from a full organization compromise to a contained server incident. It was the absence of segmentation, in many cases, that allowed the 2023 MOVEit breach to spread so extensively.
Deploy Web Application Firewall Rules for Virtual Patching
A Web Application Firewall (WAF) running virtual patching rules provides an additional detection and blocking layer between attackers and your MOVEit infrastructure. Fortinet FortiWeb, SonicWall Web Application Firewall, and WatchGuard’s integrated UTM platforms all support custom rule sets that can be tuned to block known exploit patterns for MOVEit vulnerabilities — including previously undisclosed variants — before vendor patches are available.
Monitor for Post-Exploitation Lateral Movement
Successful exploitation of MOVEit Automation in 2023 consistently led to lateral movement into Active Directory, corporate email, and cloud storage environments. Your SIEM and endpoint detection tools should actively monitor for the following post-exploitation indicators on and around MOVEit servers:
- Unusual PowerShell execution or cmd.exe spawning from MOVEit service accounts
- LDAP enumeration queries originating from the MOVEit server
- Unexpected outbound HTTPS connections from the MOVEit host to non-partner IP addresses
- Creation of new local administrator accounts or scheduled tasks on the MOVEit server
2026’s Unmistakable Pattern: Pre-Authentication Critical Flaws Dominating the Threat Landscape
CVE-2026-4670 is the latest entry in a consistent and alarming 2026 pattern of critical pre-authentication vulnerabilities in enterprise perimeter software. In the first five months of 2026 alone, IT teams have had to respond to:
- SonicWall CVE-2026-0204 — authentication bypass in SonicOS, firewall management seizure risk
- Cisco Firestarter backdoor — persistent malware surviving reboots on Cisco Firepower devices, CISA and NCSC emergency alert issued
- cPanel CVE-2026-41940 — CVSS 9.8 authentication bypass affecting an estimated 1.5 million internet-exposed servers, now actively exploited by government-affiliated threat actors
- MOVEit Automation CVE-2026-4670 — CVSS 9.8 pre-auth bypass in enterprise managed file transfer, May 2026
The pattern is not coincidental. Ransomware groups and state-sponsored actors are systematically prioritizing zero-click, pre-authentication vulnerabilities in software that sits on or near the network perimeter. These bugs require no user interaction, no phishing campaign, and no stolen credentials. They require only a reachable IP address and an unpatched system.
For IT managers and network administrators, this pattern carries a concrete operational implication: your patch management process must be capable of deploying emergency security updates within 24 to 48 hours of public vulnerability disclosure. Organizations that still operate on quarterly patch cycles are structurally unprepared for 2026’s exploitation timelines. You can explore how zero trust architecture addresses this structural gap in the Zero Trust Network Security 2026 complete guide on this blog.
What IT Managers Must Do Today
If MOVEit Automation is running anywhere in your environment, your action list for today is non-negotiable:
- Patch CVE-2026-4670 immediately using the official May 4, 2026 Progress Software security update
- Block the backend command port at the firewall as an emergency measure before patching if same-day patching is not feasible
- Rotate all MOVEit service account credentials and API keys across the full integration surface
- Review 30 to 60 days of MOVEit audit logs against published CVE-2026-4670 IOCs
- Segment your MOVEit servers behind a next-generation firewall if that architecture is not already in place
For organizations that do not yet have next-generation firewall infrastructure capable of rapid policy response to breaking CVEs, the firewall product catalog at Jazz Cyber Shield includes enterprise-grade options from Fortinet, SonicWall, and WatchGuard — all supporting automated threat intelligence feeds that push blocking rules for new exploit patterns within hours of their publication.
Conclusion
The MOVEit authentication bypass vulnerability CVE-2026-4670 carries a CVSS 9.8 score for a straightforward reason: it requires nothing from an attacker except network access and an unpatched target. Progress Software has released the patch. Every day that passes without applying it is a day of live exposure to ransomware operators and data extortion groups who have spent years demonstrating exactly what they do with unprotected MOVEit environments.
Patch today. Segment your network. Rotate your credentials. Implement the hardening controls in this guide. The 2023 MOVEit breach cost affected organizations billions of dollars. In 2026, with exploitation timelines measured in hours rather than days, the cost of inaction is higher than it has ever been.
