MOVEit CVE-2026-4670: Critical Auth Bypass Threatens SAMA Banks

Progress Software has disclosed CVE-2026-4670, a critical authentication bypass vulnerability in MOVEit Automation carrying a CVSS score of 9.8. For Saudi banks operating under SAMA Cyber Security Controls, the flaw represents a direct path to compromise of the most sensitive layer of financial data movement: managed file transfer (MFT). Unauthenticated attackers can seize administrative control of the service without a single valid credential.

Inside CVE-2026-4670: What Makes This Authentication Bypass So Dangerous

CVE-2026-4670 is classified under CWE-305 (Authentication Bypass by Primary Weakness) and lives inside the MOVEit Automation service backend command port interfaces. The attack vector requires no credentials, no user interaction, and only network reachability to the vulnerable port. Once exploited, an attacker gains full administrative privileges over the MFT engine that orchestrates batch transfers between core banking systems, payment gateways, regulatory reporting endpoints, and third-party processors. A companion flaw, CVE-2026-5174, enables further privilege escalation. Affected releases include all MOVEit Automation versions prior to 2025.1.5, 2025.0.9, and 2024.1.8. Progress confirms that the only valid remediation is an in-place upgrade using the full installer — patches alone are not sufficient.

Why MFT Compromise Hits Harder Than a Typical RCE

Managed file transfer platforms are the connective tissue of regulated banking. They schedule SWIFT-related batch deliveries, push end-of-day reconciliation files to clearing partners, move PDPL-protected customer datasets to analytics warehouses, and feed regulatory reports to SAMA on fixed cadences. Administrative compromise of MOVEit Automation gives an adversary the ability to silently redirect, modify, copy, or delay any of these flows. Threat actors with a track record against MFT platforms — most notably Cl0p during the 2023 MOVEit Transfer campaign — have demonstrated they can automate mass exfiltration within days of patch release. Darktrace recently reported pre-CVE exploitation activity targeting edge file-transfer and identity products, with attackers active up to six days before public disclosure on similar Fortra GoAnywhere vulnerabilities.

Impact on Saudi Financial Institutions Under SAMA Oversight

For SAMA-regulated banks, an unpatched MOVEit Automation server is a multi-control failure waiting to be discovered. SAMA CSCC subdomain 3.3.14 (Cryptography) and 3.3.5 (Identity and Access Management) require demonstrable controls over data-in-transit and privileged access, both of which collapse if an unauthenticated attacker holds admin rights on the MFT orchestrator. NCA ECC controls 2-7-2 and 2-3-2 mandate secure remote management and protection of management interfaces from public networks — exposed MOVEit command ports violate both. PCI-DSS v4.0 requirement 4.2.1 (strong cryptography for cardholder data in transit) becomes meaningless when an attacker can intercept transfers at the source. Under PDPL Article 19, any unauthorized access to personal data through this vector is a notifiable incident to SDAIA within 72 hours.

Recommended Actions for Saudi CISOs and SOC Teams

1. Inventory every MOVEit Automation instance — including disaster recovery and pre-production environments — and confirm version against the Progress security advisory. Anything below 2025.1.5, 2025.0.9, or 2024.1.8 must be upgraded immediately using the full installer, not a delta patch.
2. Restrict exposure of the MOVEit Automation web interface and backend command ports to internal management VLANs only. No MOVEit Automation administrative service should be reachable from the public internet under any circumstance.
3. Hunt retroactively for indicators of compromise: review IIS and MOVEit logs for unusual administrative API calls, new task creation, modification of FTP/SFTP host definitions, or off-hours configuration exports going back 30 days.
4. Rotate all credentials, API keys, certificates, and PGP keys stored within MOVEit task definitions. Assume any secret accessible to the service account has been read.
5. Validate MFT integrity controls: enable file hashing on outbound transfers and reconcile against expected batch manifests at the destination, particularly for SAMA regulatory submissions and SWIFT-adjacent flows.
6. Update your incident response runbook to treat MFT compromise as a Tier-1 event with mandatory SAMA SOC notification, in line with the SAMA Cyber Threat Intelligence Sharing requirements.

Conclusion

CVE-2026-4670 is the type of vulnerability that turns a quiet weekend into a regulatory disclosure event. With over 1,400 MOVEit Automation instances exposed on the public internet at the time of disclosure, the window for proactive remediation is measured in hours, not days. Saudi banks that treat MFT as commodity infrastructure rather than a Tier-0 control surface will be the ones explaining themselves to SAMA and SDAIA after the fact.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment covering managed file transfer, vendor risk, and emergency vulnerability response.