MOVEit Automation CVE-2026-4670: Critical Auth Bypass Threatens SAMA Banks

On May 4, 2026, Progress Software disclosed CVE-2026-4670 — a CVSS 9.8 authentication bypass in MOVEit Automation that lets unauthenticated attackers seize administrative control of one of the most widely deployed managed file transfer (MFT) products in Saudi Arabia's banking sector. Paired with CVE-2026-5174 (CVSS 7.7), the chain delivers full takeover of the platform that moves SARIE settlements, vendor batch files, and customer statements every night. For SAMA-regulated institutions, this is not just another patch — it is a board-level event under SAMA Cyber Security Framework 3.3.14 (Cryptography & Key Management) and 3.3.15 (Bring Your Own Device & Third-Party Connectivity).

What CVE-2026-4670 actually does in MOVEit Automation

The flaw lives in the service backend command port interface of MOVEit Automation versions 2025.1.4 (17.1.4) and earlier, 2025.0.8 (17.0.8) and earlier, and 2024.1.7 (16.1.7) and earlier. Reported privately by Airbus researchers, the bypass requires no credentials and low attack complexity — meaning a single exposed Automation server visible from a third-party VPN, partner DMZ, or misconfigured load balancer is enough to grant administrative API access. CVE-2026-5174, the companion privilege escalation, then lets the attacker pivot from any authenticated context to full admin, modify scheduled tasks, plant arbitrary scripts, and exfiltrate every file the Automation engine has ever processed.

Why MOVEit's track record makes this worse

This is the third critical bypass class in MOVEit's product family in roughly three years. The 2023 MOVEit Transfer SQL injection campaign by Cl0p compromised more than 2,700 organizations — including several Gulf financial services providers via shared third-party processors. Threat actors who already maintain MOVEit-specific tooling, scanners, and post-exploitation playbooks will weaponize CVE-2026-4670 within days. Mass scanning of the default 8888/TCP and 443/TCP MFT footprints typically begins inside 72 hours of public PoC release, and Censys-class internet exposure data shows hundreds of unpatched MOVEit Automation instances reachable from Saudi IP space and from the Tier-1 MSPs that serve our financial sector.

Impact on SAMA-regulated financial institutions

MOVEit Automation is the engine behind nightly batch flows: SAMA reporting files, SADAD reconciliation, payroll exports for corporate clients, and EDI exchanges with insurance and brokerage partners. Compromise here triggers multiple SAMA Cyber Security Controls (CSCC) obligations simultaneously — 3.3.5 (Identity and Access Management) for the bypassed authentication boundary, 3.3.13 (Data Loss Prevention) for files staged in clear text on the Automation host, and 4.1 (Third Party Cyber Security) because most banks consume MOVEit through an outsourced operations partner. Under NCA ECC-1:2018 control 2-3-3, banks must also assess and report any third-party software vulnerability that affects the confidentiality of personal data — bringing PDPL Article 27 breach notification timelines into play. Compounding all of this: PCI-DSS 4.0.1 requirement 6.3.3 demands that critical vendor patches be applied within one month of release, and 11.3.1.1 requires authenticated internal scans to confirm remediation.

Recommendations and practical steps

1. Patch immediately to MOVEit Automation 2025.1.5, 2025.0.9, or 2024.1.8 — Progress has confirmed these versions remediate both CVE-2026-4670 and CVE-2026-5174. Treat any window beyond 72 hours as a SAMA reportable risk acceptance.
2. Inventory every MOVEit Automation, MOVEit Transfer, and MOVEit Cloud tenancy across the bank and its outsourcing providers. Demand written attestation of patch status from each vendor by formal letter — verbal assurance does not satisfy CSCC 4.1.4.
3. Block the service backend command port at the network layer for any source outside trusted administrative subnets. Default exposure of administrative interfaces to vendor VPNs is the most common compromise path observed in regional incident response engagements.
4. Hunt retroactively for indicators of compromise: unexpected scheduled tasks, new admin users created since April 1, 2026, anomalous outbound TLS connections from the Automation server, and any modification of task XML configuration files. Preserve logs for at least 180 days to satisfy SAMA forensic readiness expectations.
5. Rotate all secrets stored or processed by Automation tasks — SFTP keys, API tokens, encryption certificates, and integrated SQL credentials. Assume any credential the platform has touched since the last clean baseline is now untrusted.
6. Engage your cyber threat intelligence function to monitor Cl0p, Akira, and 8Base leak sites for MOVEit-tagged victims in the GCC. Public extortion typically lags initial compromise by 4 to 8 weeks, giving banks a narrow window to contain before disclosure pressure begins.

Conclusion

CVE-2026-4670 is not a routine CVE — it is a direct hit on the file transfer plumbing that holds Saudi banking together, in a product whose threat actor ecosystem is already mature and aggressive. Banks that patch within 72 hours, validate vendor remediation in writing, and proactively hunt for prior compromise will satisfy SAMA, NCA, and PCI-DSS expectations. Banks that do not will face the same audit findings the 2023 MOVEit victims still carry on their risk registers today.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment focused on third-party file transfer risk and MFT supply chain hardening.