Hackers could exploit vulnerabilities in Progress Software’s MOVEit Automation tool to improperly access businesses’ data, the software maker said in a recent advisory.
Exploitation of the two flaws — an authentication-bypass vulnerability tracked as CVE-2026-4670 and a privilege-escalation vulnerability tracked as CVE-2026-5174 — could “lead to unauthorized access, administrative control, and data exposure,” according to Progress Software’s advisory.
The newly patched flaws represent serious security weaknesses in a widely used managed-file-transfer program that helps organizations transfer data between self-hosted servers, cloud platforms and third-party vendors.
Progress Software urged customers to upgrade to the latest version of the software, which fixes both vulnerabilities.
CVE-2026-4670 is considered a critical vulnerability, while CVE-2026-5174 carries a high severity score.
“Upgrading to a patched release, using the full installer, is the only way to remediate this issue,” Progress Software said, warning that the file-transfer software will need to shut down for the upgrade.
More than 1,440 internet-connected devices are running vulnerable versions of MOVEit Automation, including 16 associated with state and local government agencies, according to the Shodan internet-scanning tool.
MOVEit has been the source of major anxiety for cybersecurity experts and business leaders in the past. In 2023, a zero-day vulnerability in the software fueled a massive hacking spree that included serious ransomware attacks by the Cl0p cybercrime gang.
