Keypoints
- Two vulnerabilities were patched: CVE-2026-4670 (authentication bypass, CVSS 9.8) and CVE-2026-5174 (improper input validation, CVSS 7.7).
- Successful exploitation may allow unauthorized access, administrative control, and data exposure via the service backend command port interfaces.
- Affected MOVEit Automation versions are <=2025.1.4 (fixed in 2025.1.5), <=2025.0.8 (fixed in 2025.0.9), and <=2024.1.7 (fixed in 2024.1.8).
- The vulnerabilities were discovered and reported by Airbus SecLab researchers Anaïs Gantet, Delphine Gourdou, Quentin Liddell, and Matteo Ricordeau.
- There are no workarounds; customers should apply the provided updates immediately to mitigate risk, especially given past MOVEit Transfer exploitation by Cl0p.
Read More: https://thehackernews.com/2026/05/progress-patches-critical-moveit.html