Progress Warns of Critical MOVEit Automation Auth Bypass (CVE-2025-2025)
Progress Software has issued an urgent security advisory for a critical authentication bypass vulnerability in its MOVEit Automation managed file transfer (MFT) platform. Tracked as CVE‑2025‑2025 with a CVSS v3.1 base score of 10.0, the flaw stems from a missing validation check in the product’s REST API "/api/v1/authorization" endpoint. By sending a specially crafted HTTP request that includes a forged "X‑MOVEit‑Token" header, an unauthenticated attacker can obtain a valid session token and gain full access to the administration console.
The vulnerability affects all MOVEit Automation versions prior to 2025.0.5 and can be exploited without any prior credentials. Successful exploitation enables an adversary to read, write, or delete files on the managed file transfer server, modify system configurations, and potentially achieve remote code execution by uploading malicious scripts through the web interface. The attack surface is limited to the API endpoint, but exposed instances reachable over the internet are at the highest risk.
Organizations are strongly urged to update to MOVEit Automation version 2025.0.5, which patches the faulty token validation logic. In addition to applying the update, administrators should restrict external access to the API by using IP allow‑listing or VPN tunnels, monitor logs for anomalous patterns such as repeated 401 responses followed by successful calls from the same source IP, and review file‑transfer activity for signs of unauthorized data exfiltration.
This finding follows a series of security issues in Progress Software’s product line, including the high‑profile MOVEit Transfer flaws disclosed in 2023. The company coordinated the disclosure with CISA and credited the discovery to researchers participating in its bug‑bounty program. Security teams should treat this vulnerability as a critical priority and implement the provided mitigations immediately to protect sensitive data and maintain operational integrity.