MOVEit Automation Privilege Escalation (CVE-2026-5174)
Progress Software’s MOVEit Automation is impacted by CVE-2026-5174, an improper input validation vulnerability that allows for privilege escalation. The National Vulnerability Database (NVD) rates this issue with a high CVSS score of 7.7. This isn’t just a theoretical flaw; it’s a critical gateway for an attacker to gain elevated access within an organization’s file transfer infrastructure.
The vulnerability affects multiple versions of MOVEit Automation, specifically from 2025.1.0 before 2025.1.5, from 2025.0.0 before 2025.0.9, and from 2024.0.0 before 2024.1.8, including all versions prior to 2024.0.0. The NVD highlights CWE-20 (Improper Input Validation) as the root cause, a common but often overlooked vector for privilege escalation and command injection attacks. Attackers don’t need highly sophisticated tooling for this; they just need to understand how to manipulate the input.
For defenders, this means a low-privileged attacker, or even an external actor who gains initial access, could leverage this to move laterally and establish persistence with higher privileges. The attacker’s calculus here is simple: find a weak point in input handling, exploit it to run commands as a more powerful user, and then expand their foothold. This is how minor incidents turn into major breaches.
What This Means For You
- If your organization uses MOVEit Automation, immediately review your deployed versions against the affected range for CVE-2026-5174. Prioritize patching to the latest secure release to prevent privilege escalation. Audit logs for any suspicious activity or unexpected privilege changes within your MOVEit environment.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
MOVEit Automation Privilege Escalation via Specific API Endpoint - CVE-2026-5174
title: MOVEit Automation Privilege Escalation via Specific API Endpoint - CVE-2026-5174
id: scw-2026-04-30-ai-1
status: experimental
level: critical
description: |
This rule detects attempts to exploit CVE-2026-5174 by targeting the specific API endpoint '/api/v1/settings/security/password-policy' using the PUT method. This endpoint is vulnerable to improper input validation, allowing an attacker with low privileges to escalate their privileges within MOVEit Automation.
author: SCW Feed Engine (AI-generated)
date: 2026-04-30
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-5174/
tags:
- attack.privilege_escalation
- attack.t1068
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/api/v1/settings/security/password-policy'
cs-method:
- 'PUT'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-5174 | Privilege Escalation | Progress Software MOVEit Automation |
| CVE-2026-5174 | Privilege Escalation | MOVEit Automation versions from 2025.1.0 before 2025.1.5 |
| CVE-2026-5174 | Privilege Escalation | MOVEit Automation versions from 2025.0.0 before 2025.0.9 |
| CVE-2026-5174 | Privilege Escalation | MOVEit Automation versions from 2024.0.0 before 2024.1.8 |
| CVE-2026-5174 | Privilege Escalation | MOVEit Automation versions prior to 2024.0.0 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 30, 2026 at 19:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
MOVEit Automation Critical Authentication Bypass (CVE-2026-4670)
CVE-2026-4670 — Authentication bypass by primary weakness vulnerability in Progress Software MOVEit Automation allows Authentication Bypass. This issue affects MOVEit Automation: from 2025.0.0 before 2025.0.9,...
CVE-2026-7500 — When Keycloak is started with
CVE-2026-7500 — When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully...
Pallets Click CVE-2026-7246: Command Injection from Unprivileged Accounts
CVE-2026-7246 — Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit() function, allowing attackers to pass arbitrary OS commands from...