CVE-2026-4670 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-4670 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-4670 is a critical authentication bypass vulnerability in Progress Software MOVEit Automation, affecting versions from 2025.0.0 before 2025.0.9, that allows unauthenticated attackers to bypass primary authentication controls.

Technical Detail

The flaw is classified as an authentication bypass by primary weakness, meaning the authentication mechanism itself contains a fundamental design or implementation error that can be circumvented without valid credentials. An attacker can exploit this remotely by sending crafted requests that satisfy the flawed authentication logic, effectively gaining unauthorized access to the MOVEit Automation interface and its managed file transfer workflows. Successful exploitation could allow an attacker to access sensitive data, manipulate automated file transfer tasks, or pivot further into connected systems depending on the integration scope of the deployment.

Exploitation Status

No known exploit code has been publicly observed or confirmed as of May 7, 2026. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as no known exploit at this time, though the critical CVSS score of 9.8 and the nature of the flaw make it a high-priority target for future exploitation development.

Who Is Targeting This

No specific threat actor attribution at this time. However, MOVEit products have historically been targeted by financially motivated and espionage-oriented threat actors due to their role in enterprise file transfer operations. Organizations should treat this vulnerability as high-interest to adversaries regardless of current attribution gaps.

What To Do

Organizations running MOVEit Automation versions 2025.0.0 through 2025.0.8 should prioritize patching to version 2025.0.9 or later immediately given the critical severity and the authentication bypass nature of the flaw. Until patching is complete, restrict network access to the MOVEit Automation management interface to trusted IP ranges only and review authentication logs for anomalous access patterns or unexpected session creation. Verify that no unauthorized accounts or scheduled tasks have been introduced into the automation environment. Progress Software's advisory should be consulted for any additional vendor-recommended mitigations or indicators of compromise.