MOVEit Automation CVE-2026-5174 Raises Patch Urgency After Cl0p History

Executive Summary

Progress Software has disclosed CVE-2026-5174, a high-severity improper input validation vulnerability in MOVEit Automation that can allow privilege escalation. The issue affects MOVEit Automation 2025.1.0 before 2025.1.5, 2025.0.0 before 2025.0.9, 2024.0.0 before 2024.1.8, and versions prior to 2024.0.0.

The vulnerability was disclosed in the same April 2026 Progress bulletin as CVE-2026-4670, a critical authentication bypass in MOVEit Automation. Progress describes the combined risk as potentially enabling unauthorized access, administrative control, and data exposure through backend command port interfaces. For defenders, that pairing is important: even if CVE-2026-5174 itself requires low privileges, it sits in a product that orchestrates sensitive file-transfer workflows and may store credentials, task definitions, and connection details.

There is no public confirmation, as of May 6, 2026, that CVE-2026-5174 is being exploited by a named APT group, Cl0p, or any other specific actor. The urgency comes from exposure and history. In 2023, Cl0p, also tracked as TA505 in the CISA/FBI advisory, exploited CVE-2023-34362 in MOVEit Transfer to steal data from vulnerable organizations. MOVEit Automation is a different product, but threat actors already understand the value of managed file-transfer environments. Organizations should patch now rather than wait for confirmed exploitation.

Technical Analysis

CVE-2026-5174 is tracked as CWE-20: Improper Input Validation. The GitHub Advisory Database lists a Progress CNA CVSS 3.1 score of 7.7 with network attack vector, low attack complexity, low privileges required, and no user interaction. NVD's own enrichment currently scores the issue at 8.8 because it models higher confidentiality, integrity, and availability impact. Both ratings place the flaw in the high-severity range.

The vulnerable product is MOVEit Automation, the workflow scheduling and orchestration component of the MOVEit family. It is not the same as MOVEit Transfer, the public-facing file-transfer application at the center of the 2023 Cl0p campaign. That distinction should be kept clear in incident communications. However, MOVEit Automation can still be a high-value target because it coordinates movement of files between systems and may have access to stored credentials, automation jobs, partner destinations, and internal data paths.

Progress's fixed releases are:

• MOVEit Automation 2025.1.5 or later.
• MOVEit Automation 2025.0.9 or later.
• MOVEit Automation 2024.1.8 or later.
• Systems running versions prior to 2024.0.0 should move to a supported patched branch.

CVE-2026-5174 was disclosed alongside CVE-2026-4670, a critical authentication bypass scored 9.8 by Progress. Censys notes that the two CVEs are paired in the bulletin, but public reporting has not shown a proof-of-concept chain demonstrating that one flaw enables the other. Defenders should still treat the pair as an emergency patching event because a compromise of MOVEit Automation could provide administrative control over sensitive transfer workflows.

Cl0p History and APT Assessment

The Cl0p history is the main reason this advisory deserves executive attention even before public exploitation appears. In May 2023, Cl0p exploited CVE-2023-34362, a zero-day SQL injection vulnerability in MOVEit Transfer, at scale. CISA and the FBI described the group as Cl0p ransomware gang, also known as TA505, and said the campaign used internet-facing MOVEit Transfer applications to steal data from underlying databases.

That history does not mean Cl0p is exploiting CVE-2026-5174 today, and Cl0p should not be described as an APT group. The more accurate assessment is that MOVEit-family vulnerabilities attract both sophisticated cybercriminal operators and potentially APT teams because managed file-transfer systems often sit near regulated, partner-facing, or high-value data flows.

Our assessment: exploitation risk is elevated over the next several days to weeks. Public advisories, NVD enrichment, and security-vendor writeups give defenders enough detail to prioritize patching; the same visibility also helps attackers inventory exposed or lagging deployments. Organizations with internet-reachable MOVEit Automation administration surfaces, weak network segmentation, or delayed patch windows should treat this as urgent.

Mitigations & Recommendations

Patch MOVEit Automation immediately to the fixed release for your branch. Do not wait for confirmed APT or ransomware exploitation before scheduling emergency maintenance.

Priority actions:

• Upgrade to MOVEit Automation 2025.1.5, 2025.0.9, or 2024.1.8, depending on the deployed branch.
• If running a version prior to 2024.0.0, upgrade to a supported patched release rather than attempting to keep the unsupported branch online.
• Restrict MOVEit Automation administrative and backend command-port access to trusted management networks only.
• Review configured automation tasks, stored credentials, partner endpoints, and recent administrative changes for signs of misuse.
• Monitor for unusual authentication events, job modifications, unexpected file-transfer destinations, failed backend command activity, and newly created accounts.
• Treat MOVEit Automation as a sensitive orchestration system in incident response, not just as a utility server.

Organizations that cannot patch immediately should reduce exposure first: remove public access, enforce management network allowlists, and increase monitoring on MOVEit-related servers until the patched version is installed.