Cyber Resilience

CVE-2026-4670

Critical

Published: 30 April 2026

Published
30 April 2026
Modified
04 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0563 92.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-4670 is a critical-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability in Progress Moveit Automation. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2026-4670 is an authentication bypass vulnerability stemming from a primary weakness (CWE-305) in Progress Software's MOVEit Automation. The issue allows attackers to circumvent authentication mechanisms entirely. It affects MOVEit Automation versions from 2025.0.0 prior to 2025.0.9, from 2024.0.0 prior to 2024.1.8, and all versions prior to 2024.0.0. Published on April 30, 2026, the vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical.

An unauthenticated attacker with network access can exploit this vulnerability remotely with low attack complexity and no user interaction required. Exploitation bypasses authentication, enabling the attacker to achieve high impacts on confidentiality, integrity, and availability, such as unauthorized access to sensitive data, modification of configurations, or disruption of automation tasks.

Progress Software has issued a Critical Security Alert Bulletin addressing CVE-2026-4670 (along with CVE-2026-5174), available at https://community.progress.com/s/article/MOVEit-Automation-Critical-Security-Alert-Bulletin-April-2026-CVE-2026-4670-CVE-2026-5174. Mitigation requires upgrading to patched versions: 2025.0.9 or later for the 2025 branch and 2024.1.8 or later for the 2024 branch.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Authentication bypass by primary weakness vulnerability in Progress Software MOVEit Automation allows Authentication Bypass. This issue affects MOVEit Automation: from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The authentication bypass in the network-accessible MOVEit Automation application directly enables remote exploitation of a public-facing application without credentials or user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-8487Same product: Progress Moveit Automation
CVE-2026-8486Same product: Progress Moveit Automation
CVE-2026-5174Same product: Progress Moveit Automation
CVE-2026-8485Same product: Progress Moveit Automation
CVE-2026-8488Same product: Progress Moveit Automation
CVE-2025-13447Same product class: managed file transfer
CVE-2025-11235Same product class: managed file transfer
CVE-2025-13444Same product class: managed file transfer
CVE-2023-34362Same product class: managed file transfer
CVE-2025-2324Same product class: managed file transfer

Affected Assets

progress
moveit automation
≤ 2024.1.8 · 2025.0.0 — 2025.1.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the authentication bypass vulnerability by requiring timely identification, reporting, and correction of software flaws through vendor patches.

prevent

Enforces approved authorizations for logical access to system resources, preventing unauthorized actions enabled by the authentication bypass.

prevent

Requires unique identification and authentication for organizational users, directly countering authentication bypass weaknesses in the MOVEit Automation software.

References