Back to Intelligence

CVE-2026-4670 & CVE-2026-5174: MOVEit Automation Critical Vulnerabilities — Detection and Hardening Guide

SA
Security Arsenal Team
May 5, 2026
5 min read

Progress Software has released critical security patches for MOVEit Automation (formerly Moveit DMZ) to address two severe vulnerabilities that could lead to complete system compromise. Given the history of MOVEit Transfer being a prime target for mass exploitation (such as the Cl0p勒索软件 campaigns), defenders must treat these new CVEs in MOVEit Automation with the same level of urgency.

Introduction

We are tracking two high-severity flaws, CVE-2026-4670 (CVSS Critical) and CVE-2026-5174. CVE-2026-4670 is an authentication bypass vulnerability that allows unauthenticated attackers to gain access to the system. When chained with CVE-2026-5174, an unauthorized privilege gain issue, an attacker can elevate privileges to achieve full administrative control over the host. This creates a pathway for ransomware deployment, data exfiltration, or lateral movement into the internal network.

Technical Analysis

Affected Product:

  • MOVEit Automation (all versions prior to the latest security update)

Vulnerabilities:

  • CVE-2026-4670 (Authentication Bypass): This flaw exists in the authentication mechanism of MOVEit Automation. It allows a remote attacker to bypass authentication checks and interact with the underlying application or system.
  • CVE-2026-5174 (Unauthorized Privilege Gain): This vulnerability allows an attacker to escalate their privileges, typically from a low-privileged context to SYSTEM or root, facilitating full system compromise.

Attack Chain:

  1. Initial Access: Attacker scans for MOVEit Automation interfaces exposed to the internet.
  2. Exploitation: Attacker exploits CVE-2026-4670 to authenticate without valid credentials.
  3. Privilege Escalation: Attacker exploits CVE-2026-5174 to gain administrative rights.
  4. Impact: Execution of arbitrary commands, deployment of webshells, or theft of sensitive file transfer logs.

Exploitation Status: While proof-of-concept (PoC) concepts are likely known given the severity of auth bypasses, active exploitation in the wild has not yet been confirmed at the time of this writing. However, the history of MOVEit products suggests weaponization is imminent.

Detection & Response

The following detection rules and queries focus on identifying exploitation attempts via the MOVEit Automation service spawning unauthorized shells or child processes—a strong indicator of successful exploitation and privilege escalation.

YAML
---
title: MOVEit Automation Spawning Windows Shell
id: 8a2b1c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects MOVEit Automation process (java.exe or MoveITDMZ.exe) spawning cmd.exe or powershell.exe, indicative of post-exploitation activity.
references:
  - https://securityaffairs.com/191681/security/moveit-automation-flaws-could-enable-full-system-compromise.html
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.001
  - attack.t1059.003
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|contains:
      - '\java.exe' # MOVEit Automation often runs on Java
      - 'MoveITAutomation.exe'
      - 'MoveITDMZ.exe'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: all of selection_*
falsepositives:
  - Legitimate administrative debugging (rare)
level: high
---
title: Suspicious Network Connections from MOVEit Automation
id: 1b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects MOVEit Automation processes initiating outbound connections to non-standard ports or suspicious IPs, potentially indicating C2 beaconing.
references:
  - https://securityaffairs.com/191681/security/moveit-automation-flaws-could-enable-full-system-compromise.html
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.command_and_control
  - attack.t1071
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Image|contains:
      - 'java.exe'
      - 'MoveITAutomation.exe'
    Initiated: 'true'
    DestinationPort|notin:
      - '80'
      - '443'
      - '22'
      - '21'
  condition: selection
falsepositives:
  - Legitimate file transfers to non-standard partner ports
level: medium
KQL — Microsoft Sentinel / Defender
// Hunt for suspicious process creation by MOVEit Automation
// Looks for java.exe (hosting MOVEit) spawning shells
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in (~"java.exe", "MoveITAutomation.exe", "MoveITDMZ.exe")
| where FileName in (~"cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, SHA256
| order by Timestamp desc
VQL — Velociraptor
-- Velociraptor VQL to hunt for MOVEit Automation process anomalies
-- Identifies processes where the parent is the MOVEit service and the child is a shell
SELECT Parent.Name as ParentName, Parent.Pid as ParentPid, Name as ChildName, Pid, CommandLine, Username
FROM pslist()
LEFT JOIN pslist() AS Parent ON Parent.Pid = Ppid
WHERE Parent.Name =~ "java" OR Parent.Name =~ "MoveIT"
  AND Name IN ("cmd.exe", "powershell.exe", "pwsh.exe")
PowerShell
# Remediation Script: Check MOVEit Automation Service Status
# Note: This script checks for the service. Verify specific patch versions in vendor advisory.
$serviceName = "MOVEit Automation"
$service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue

if ($service) {
    Write-Host "[+] Found Service: $($service.DisplayName)"
    Write-Host "    Status: $($service.Status)"
    Write-Host "    Start Type: $($service.StartType)"
    Write-Host ""
    Write-Host "[ACTION REQUIRED]: Ensure you have applied the latest patches for CVE-2026-4670 and CVE-2026-5174."
    Write-Host "Refer to the official Progress Software advisory for the specific Build Number required."
    
    # Get process details if running
    if ($service.Status -eq 'Running') {
        $process = Get-WmiObject -Class Win32_Process -Filter "Name='java.exe' OR Name='MoveITAutomation.exe'"
        if ($process) {
            Write-Host "    Process Path: $($process.ExecutablePath)"
            Write-Host "    Process ID: $($process.ProcessId)"
            Write-Host "    Please verify the file version of the executable against the vendor advisory."
        }
    }
} else {
    Write-Host "[-] MOVEit Automation service not found on this host."
}

Remediation

  1. Patch Immediately: Apply the security updates released by Progress Software for MOVEit Automation. These patches specifically address CVE-2026-4670 and CVE-2026-5174.
  2. Verify Build Version: Do not rely solely on Windows "Last Updated" timestamps. Check the specific build version of the MOVEit Automation software against the vendor advisory to ensure the vulnerabilities are mitigated.
  3. Network Segmentation: Ensure MOVEit Automation servers are not directly exposed to the public internet unless absolutely necessary. Place them behind a VPN or a Zero Trust Access solution.
  4. Audit Access Logs: Review MOVEit Automation logs for any signs of unauthorized access or suspicious administrative activity prior to patching.

Official Vendor Advisory: Refer to the Progress Software support portal for the specific bulletin regarding MOVEit Automation 2026 patches.

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub

alert-triagealert-fatiguesoc-automationfalse-positive-reductionalertmonitormoveit-automationcve-2026-4670cve-2026-5174

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action