Three critical vulnerabilities in three years. Progress MOVEit's latest — CVE-2026-4670, a critical authentication bypass in MOVEit Automation — was disclosed May 4, 2026. No credentials required. No user interaction needed. Remote exploitation in low-complexity attacks. More than 1,400 internet-exposed instances online, including connections to U.S. state and local government.
This is strike three.
Strike One: The 2023 Zero-Day That Shook Government and Healthcare
In June 2023, Progress disclosed a critical SQL injection vulnerability in MOVEit Transfer that allowed attackers to gain unauthorized access to databases and execute arbitrary code remotely. It wasn't theoretical. The Clop ransomware gang weaponized it within days, and the fallout was severe: more than 2,100 organizations compromised, including banks, universities, and government agencies. The FBI and CISA issued joint advisories. Congressional hearings followed.
For many organizations, it was the first time they fully reckoned with what they were actually trusting when they trusted MOVEit: a perimeter-secured platform where data, once inside, had no protection of its own.
Strike Two: The Patches That Kept Coming
The 2023 zero-day wasn't a one-and-done disclosure. Additional critical CVEs followed throughout the summer — including CVE-2023-36934, also rated CRITICAL — as researchers dug deeper into the codebase. Each new patch required emergency change windows, IT scrambling, and another round of leadership briefings explaining why the platform they'd paid for and trusted had failed them again.
Organizations that stuck with MOVEit after 2023 did so on the implicit promise that the worst was behind them. That promise just expired.
Strike Three: CVE-2026-4670
On May 4, 2026, Progress issued a fresh advisory: a critical authentication bypass in MOVEit Automation affecting all versions prior to 2025.1.5, 2025.0.9, and 2024.1.8. The flaw allows unauthenticated remote attackers to bypass access controls entirely. A second CVE — CVE-2026-5174 — enables privilege escalation once inside.
Remediation requires a full system upgrade with mandatory downtime. For the 3,000+ enterprise organizations running MOVEit — including the government agencies with internet-exposed instances — that's another incident response sprint, another leadership conversation, another window of risk while patches are staged and tested.
No confirmed exploitation yet doesn't mean no exploitation. Clop used the 2023 vulnerability against organizations before patches were even available. MFT platforms are known, high-value targets. The clock is running.
Three Strikes and a Structural Problem
Perimeter-based MFT platforms are built around a secured server that holds and moves files. When that perimeter is breached — and breach has now proven inevitable, repeatedly — the files inside are fully exposed. Every authenticated user, every attacker who bypasses authentication, every lateral mover who reaches the server: they all get the files. The server is the security boundary, and when it falls, nothing downstream protects the data.
Data-centric security works from a different set of assumptions. Protection is embedded directly into the data — persistent encryption that travels with the file regardless of where it goes or who touches the server. A compromised server serves up ciphertext, not content.
What One State Government Did Instead
The State of Utah didn't wait for strike three. After the 2023 MOVEit disclosures — and after experiencing the storage outages and availability issues that had already been frustrating their team — they evaluated alternatives and selected Virtru Secure Share.
The decision came down to more than security. Utah needed something their staff and external partners could actually use without friction — no additional software installs, no extra credentials for external recipients, and support for large files up to 15 GB. They got all of that, but the capability no MFT platform could match was this: With Virtru, data owners can revoke access at any time, even after a file has been shared externally.
In a breach scenario, a MOVEit administrator finds out a credential was compromised when they read about it in the news. A Virtru-protected file owner can revoke from the Control Center — the file becomes unreadable, wherever it is, whoever holds it. This is immensely valuable for sensitive and regulated data, and allows the data owner to adapt in real time if a file is accidentally shared with the wrong person, or when a contract concludes and access needs to be spun down.
What to Do Right Now
If you're running MOVEit Automation, patch immediately. Upgrade to version 2025.1.5, 2025.0.9, or 2024.1.8. Don't wait.
But while your team is scheduling that downtime window, there's a harder question worth asking: Is this the architecture we want to be running in 2027?
Swapping MOVEit for a different MFT platform restarts the clock, but it doesn't change the underlying model. Three critical vulnerabilities in three years is enough evidence that the model itself is the liability. Protection that travels with the data, with real-time revocation and persistent control regardless of where files land, is a different architecture entirely — one where a compromised server doesn't mean compromised files.
See how Virtru Secure Share works →
Read the State of Utah case study →
Want to learn more about how Virtru can help you move on from MOVEit? Contact our team today for a demo.
CVE-2026-4670 was disclosed May 4, 2026. Organizations should apply patches immediately per Progress Software's advisory. Virtru is not responsible for third-party patch guidance.
/blog%20-%20microsoft%20legal%20AI/miscrosoftlegal%20copy.webp)
/blog%20-%20anthropic%20boat/anthropic-boat.webp)
/blog%20-%20mythos%20john/ai-john-mythos.webp)
/blog%20-%20pubsec%20AI/pubsecAI.webp)