← CIO Briefings · Critical Impact ACTION REQUIRED

MOVEit Automation Critical Vulnerability — Emergency Patching Required Immediately

Progress Software has disclosed a critical flaw in MOVEit Automation — the automated file-transfer workflow platform — that allows an attacker without any login credentials to gain full administrative access. Given that a previous vulnerability in the same product led to the largest mass data breach of 2023, affecting over 2,700 organisations globally, this disclosure demands emergency response, not a scheduled patch cycle.

4 min read
#DORA#NIS2#GDPR

What Happened

Progress Software — the vendor behind the MOVEit platform used to transfer sensitive files across and between organisations — has disclosed a critical security flaw in MOVEit Automation, the component that automates scheduled file transfers and data processing workflows. The vulnerability allows an attacker who has no user account and no prior access to the system to bypass all login controls and gain full administrative access. From that position, an attacker can view, modify, or delete automated transfer jobs; redirect outbound file transfers to attacker-controlled destinations; and access the logs of all prior file operations, which may contain references to sensitive data.

Business Impact

MOVEit is used specifically because it moves sensitive data — payroll files, HR records, financial reports, health records, regulatory submissions, and customer data are among the file types routinely processed through managed file transfer platforms. A complete administrative access bypass means that everything MOVEit Automation is configured to handle is potentially within an attacker’s reach.

The context makes this disclosure unusually urgent: in 2023, the Cl0p ransomware group exploited a different critical flaw in the same MOVEit platform and systematically compromised over 2,700 organisations worldwide within days of the vulnerability becoming known. The victims included government agencies across the United States and UK, major financial institutions, healthcare systems, pension funds, and universities. Many victims first learned of their exposure not from their own monitoring systems, but from extortion demands. That campaign caused hundreds of millions of pounds in regulatory fines, legal costs, and operational disruption across the affected organisations. The same infrastructure, the same targeting logic, and in many cases the same operational teams are still active.

Regulatory Implications

Organisations subject to DORA (EU financial sector regulation) should assess whether exploitation of this vulnerability — or the act of operating unpatched critical infrastructure — triggers Major Incident notification obligations under Article 19. Under NIS2, operators of essential and important entities must apply patches to critical systems in line with their incident management procedures; failure to patch a disclosed critical vulnerability in a timely manner may constitute a reportable security gap. Any confirmed exploitation resulting in access to personal data triggers GDPR’s 72-hour breach notification requirement to the relevant supervisory authority.

Board-Ready Summary

  • An attacker with no credentials can take complete control of MOVEit Automation and access or redirect any sensitive files it processes — a direct threat to data confidentiality and regulatory compliance.
  • The last critical flaw in this product caused the largest mass data breach of 2023; attackers with proven capability against this platform are monitoring for exactly this type of disclosure.
  • Leadership must authorise emergency patching this week and confirm whether MOVEit Automation is internet-accessible — if it is, that exposure must be restricted immediately as a parallel action.

  1. Immediate (0–24 hours): Identify every MOVEit Automation instance in your environment — cloud-hosted via Progress’s MOVEit Cloud service (already patched automatically) and self-hosted on-premises (requires manual update). Verify which installations are internet-accessible versus internally accessible only.

  2. Immediate (0–24 hours): Apply the available patch from the Progress Software Customer Community portal to all self-hosted MOVEit Automation instances. Treat this as an emergency maintenance window — do not defer to the next scheduled patch cycle.

  3. Short-term (this week): Review MOVEit Automation access and activity logs for the period covering the 30 days before patching. Look for authentication attempts, API calls without corresponding user sessions, new or modified transfer task definitions, and any new external transfer destinations added to workflows. Any anomaly should be treated as a potential indicator of prior compromise.

  4. Short-term (this week): Assess and enforce network access controls. MOVEit Automation’s administrative interface and API endpoints should not be directly accessible from the public internet. If they currently are, restrict access to corporate IP ranges, management network segments, or VPN-only access. Automation workflow endpoints have no operational requirement to be publicly reachable.

  5. Short-term (this week): Audit all configured transfer task definitions and external destination addresses. A post-compromise attacker with administrative access could add new transfer destinations exfiltrating files to attacker-controlled locations — these would persist after patching unless identified and removed.

  6. Ongoing: Review your managed file transfer architecture. If MOVEit Transfer or Automation was not redesigned for restricted-access operation following the 2023 breach, this is the moment to do so. Internet-facing managed file transfer platforms processing sensitive data represent a category of risk that justified architectural changes three years ago.