CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical Authentication Bypass in Progress MOVEit Automation RCE Vectors Exposed

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A critical authentication bypass vulnerability (CVE-2026-4670) and a high-severity privilege escalation flaw (CVE-2026-5174) in Progress MOVEit Automation have been disclosed and patched. The authentication bypass (CVSS 9.8) allows remote, unauthenticated attackers to bypass authentication and execute arbitrary actions without privileges or user interaction, while the privilege escalation flaw (CVSS 7.7) enables unauthorized administrative control and data exposure. The vulnerabilities affect versions prior to 2025.1.5, 2025.0.9, and 2024.1.8, with fixes requiring full installer upgrades that cause system outages. Airbus SecLab researchers are credited with discovering and reporting both flaws, which can be exploited via service backend command port interfaces. No workarounds exist, and immediate patching is recommended to prevent potential exploitation resembling prior MOVEit Transfer intrusions. MOVEit Automation is an enterprise-grade managed file transfer (MFT) orchestrator used by over 3,000 organizations and 100,000 users globally to automate complex data workflows across local servers, cloud storage, and external partners. Progress Software has issued advisories emphasizing the severity of the flaws, noting that exploitation could lead to full system compromise, data exfiltration, or lateral movement within affected environments. Over 1,400 exposed instances have been identified, including systems linked to U.S. government agencies.

Timeline

  1. 04.05.2026 15:18 2 articles · 1d ago

    Critical MOVEit Automation authentication bypass (CVE-2026-4670) disclosed and patched

    Progress Software disclosed two vulnerabilities in MOVEit Automation: CVE-2026-4670 (CVSS 9.8), an authentication bypass flaw enabling remote, unauthenticated attackers to bypass authentication mechanisms and execute arbitrary actions without privileges or user interaction, and CVE-2026-5174 (CVSS 7.7), an improper input validation flaw allowing privilege escalation via service backend command port interfaces. Both flaws require immediate patching through full installer upgrades, which cause system outages. Airbus SecLab researchers Anaïs Gantet, Delphine Gourdou, Quentin Liddell, and Matteo Ricordeau are credited with discovery and reporting. There are no available workarounds. Exploitation could lead to unauthorized access, administrative control, data exposure, full system compromise, or lateral movement within affected MOVEit Automation deployments.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Unauthenticated access vulnerability in Oracle E-Business Suite Configurator

A critical vulnerability in Oracle E-Business Suite (EBS) allows unauthenticated attackers to access sensitive data via HTTP. The flaw, CVE-2025-61884, affects versions 12.2.3 through 12.2.14 and has a CVSS score of 7.5. CISA has confirmed that the vulnerability is being exploited in attacks and has added it to its Known Exploited Vulnerabilities catalog. Oracle has issued an emergency security update and patch, but exploitation in the wild has been reported. The vulnerability is in the Runtime UI component and could lead to unauthorized access to critical data. Oracle has silently fixed the vulnerability after it was actively exploited and a proof-of-concept exploit was leaked by the ShinyHunters extortion group. This development follows recent disclosures of zero-day exploitation in EBS software, attributed to a group with ties to the Clop ransomware group. The Clop group has been involved in major data theft campaigns targeting zero-days in Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer.

Open in new tab

Critical deserialization flaw in GoAnywhere MFT (CVE-2025-10035) patched

The critical deserialization vulnerability (CVE-2025-10035) in GoAnywhere MFT has been actively exploited by the cybercrime group Storm-1175 in Medusa ransomware attacks since at least September 11, 2025. This flaw, rated 10.0 on the CVSS scale, allows for arbitrary command execution if the system is publicly accessible over the internet. Fortra has released patches in versions 7.8.4 and 7.6.3. The vulnerability was disclosed on September 18, 2025, but exploitation began a week earlier. The Shadowserver Foundation is monitoring over 513 GoAnywhere MFT instances exposed online, although the number of patched instances is unknown. The flaw impacts the same license code path as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023, including LockBit. The vulnerability enables an attacker to bypass signature verification by crafting a forged license response signature, allowing the deserialization of arbitrary, attacker-controlled objects. Successful exploitation could result in command injection and potential remote code execution (RCE) on the affected system. The threat actor used legitimate remote monitoring and management (RMM) tools SimpleHelp and MeshAgent to launch binaries following exploitation. The threat actor utilized RMM tools to establish command-and-control (C2) infrastructure and set up a Cloudflare tunnel for secure C2 communication. The deployment and execution of Rclone was observed in at least one victim environment during the exfiltration stage. Medusa ransomware has over 300 global victims in critical infrastructure sectors, including a confirmed attack on a US healthcare organization in early 2025. Fortra began investigating the vulnerability on September 11, 2025, following a customer report. Fortra contacted on-premises customers with publicly accessible admin consoles and notified law enforcement on September 11, 2025. A hotfix for versions 7.6.x, 7.7.x, and 7.8.x was released on September 12, 2025. Full patches for versions 7.6.3 and 7.8.4 were released on September 15, 2025. The CVE for the vulnerability was formally published on September 18, 2025. Fortra confirmed a limited number of reports of unauthorized activity related to CVE-2025-10035. Fortra recommends restricting admin console access over the internet and enabling monitoring. watchTowr CEO and founder Benjamin Harris reiterated the need for transparency from Fortra regarding the private keys used in the exploit.

Open in new tab

Critical vulnerabilities in SAP NetWeaver and related products addressed

SAP has released security updates addressing multiple vulnerabilities, including three critical flaws in NetWeaver and a high-severity issue in S/4HANA. The most severe, CVE-2025-42944, allows unauthenticated attackers to execute arbitrary OS commands via an insecure deserialization vulnerability in the RMI-P4 module. The second critical flaw, CVE-2025-42922, enables authenticated attackers to upload arbitrary files, potentially leading to full system compromise. The third critical vulnerability, CVE-2025-42958, allows unauthorized high-privileged users to access sensitive data and administrative functions. Additionally, a high-severity missing input validation bug in SAP S/4HANA (CVE-2025-42916) was patched, which could permit attackers to delete the content of arbitrary database tables. In the November 2025 security updates, SAP addressed a maximum severity flaw in the non-GUI variant of the SQL Anywhere Monitor (CVE-2025-42890) and a critical code injection issue in the Solution Manager platform (CVE-2025-42887). The SQL Anywhere Monitor flaw involves hardcoded credentials that could allow attackers to access administrative functions and execute arbitrary code. The Solution Manager flaw allows authenticated attackers to insert malicious code, potentially leading to full system control. SAP also released fixes for one high-severity flaw (CVE-2025-42940) and 14 other medium-severity vulnerabilities. These vulnerabilities affect SAP NetWeaver, the foundation for various business applications like ERP, CRM, SRM, and SCM, widely deployed in large enterprise networks. The RMI-P4 port, used for internal SAP-to-SAP communication, may be exposed to wider networks due to misconfigurations. SAP products are frequent targets for high-value compromises due to their handling of mission-critical data. Earlier this month, a critical code injection vulnerability (CVE-2025-42957) was exploited in S/4HANA, Business One, and NetWeaver products. SAP has also updated security notes for other high-severity vulnerabilities in Business One, Landscape Transformation Replication Server, and S/4HANA.

Open in new tab

Critical RADIUS Authentication Flaw in Cisco Secure Firewall Management Center

Cisco has disclosed and patched multiple critical vulnerabilities across its product portfolio, including a newly identified Integrated Management Controller (IMC) authentication bypass flaw (CVE-2026-20093) that allows unauthenticated attackers to gain Admin access to unpatched systems. Additionally, Cisco addressed a critical remote code execution (RCE) vulnerability in its Smart Software Manager On-Prem (SSM On-Prem) (CVE-2026-20160) that enables attackers to execute commands with root-level privileges. Earlier in March 2026, Cisco released security updates for two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software: an authentication bypass flaw (CVE-2026-20079) granting root access and an RCE vulnerability (CVE-2026-20131) allowing arbitrary Java code execution. Notably, the Interlock ransomware gang exploited CVE-2026-20131 in zero-day attacks, prompting CISA to add it to its catalog of exploited vulnerabilities and mandate federal agencies to remediate within three days. Cisco also published a bundled set of 25 security advisories addressing 48 vulnerabilities across multiple enterprise networking products, including high-severity issues in ASA Firewall, Secure FMC, and Secure FTD appliances.

Open in new tab