🤖 USMC Advances Multi-Domain Drone Strategy Through 2040
The Marine Corps plans operational testing of its MUX TACAIR collaborative combat aircraft by 2029, with Northrop Grumman integrating Kratos XQ-58 Valkyrie drones. Concurrent programs include Group 3 UAS for organic ISR, autonomous logistics platforms ALC and MARV-EL for expeditionary resupply, and the Future Attack Strike program to replace UH-1 helicopters with optionally-piloted multi-role aircraft by 2040.
Officials compare the transformation to introducing rotary-wing aviation in the 1950s, according to statements at Modern Day Marine. The shift reflects force design requirements for distributed Pacific operations under contested conditions.
🛰️ Open sources - closed narratives
@sitreports
The Marine Corps plans operational testing of its MUX TACAIR collaborative combat aircraft by 2029, with Northrop Grumman integrating Kratos XQ-58 Valkyrie drones. Concurrent programs include Group 3 UAS for organic ISR, autonomous logistics platforms ALC and MARV-EL for expeditionary resupply, and the Future Attack Strike program to replace UH-1 helicopters with optionally-piloted multi-role aircraft by 2040.
Officials compare the transformation to introducing rotary-wing aviation in the 1950s, according to statements at Modern Day Marine. The shift reflects force design requirements for distributed Pacific operations under contested conditions.
🛰️ Open sources - closed narratives
@sitreports
🔫 Cybercrime Groups Weaponize Vishing and SSO Flaws for SaaS Extortion
Threat actors are combining voice phishing with single sign-on abuse to conduct rapid extortion attacks against SaaS platforms. The technique allows attackers to bypass traditional security controls by exploiting trust relationships in federated authentication systems, according to recent reporting.
The shift toward SSO-targeted social engineering represents an evolution in access broker tactics, compressing the intrusion-to-extortion timeline significantly. Organizations relying heavily on federated identity without secondary verification mechanisms face elevated exposure to this attack vector.
🛰️ Open sources - closed narratives
@sitreports
Threat actors are combining voice phishing with single sign-on abuse to conduct rapid extortion attacks against SaaS platforms. The technique allows attackers to bypass traditional security controls by exploiting trust relationships in federated authentication systems, according to recent reporting.
The shift toward SSO-targeted social engineering represents an evolution in access broker tactics, compressing the intrusion-to-extortion timeline significantly. Organizations relying heavily on federated identity without secondary verification mechanisms face elevated exposure to this attack vector.
🛰️ Open sources - closed narratives
@sitreports
🔍 China-Linked APT Targets Governments and Civil Society Across Asia and NATO
A China-attributed threat actor has conducted intrusion operations against government entities in multiple Asian countries, at least one NATO member state, as well as journalists and activists. The campaign demonstrates continued focus on strategic intelligence collection across governmental and civil society targets, according to reporting published on May 1.
The targeting pattern indicates sustained interest in both state-level intelligence and monitoring of individuals involved in politically sensitive activities. The overlap between government networks and civil society figures suggests coordinated intelligence priorities aligned with strategic geopolitical interests.
🛰️ Open sources - closed narratives
@sitreports
A China-attributed threat actor has conducted intrusion operations against government entities in multiple Asian countries, at least one NATO member state, as well as journalists and activists. The campaign demonstrates continued focus on strategic intelligence collection across governmental and civil society targets, according to reporting published on May 1.
The targeting pattern indicates sustained interest in both state-level intelligence and monitoring of individuals involved in politically sensitive activities. The overlap between government networks and civil society figures suggests coordinated intelligence priorities aligned with strategic geopolitical interests.
🛰️ Open sources - closed narratives
@sitreports
🔫 cPanel Critical Flaw Exploited as Zero-Day, Ransomware Demands Reported
CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog, confirming active exploitation of a 9.8 CVSS-rated authentication bypass affecting cPanel and WHM installations. Hosting provider KnownHost disclosed exploitation attempts dating to February 23, weeks before patches shipped Tuesday. At least one small business reported a $7,000 ransomware demand following compromise. Namecheap temporarily blocked cPanel access entirely during the incident window.
Roughly 1.5 million internet-exposed cPanel instances remain visible via Shodan, with successful exploitation granting full server control. The vulnerability affects all supported versions post-11.40, creating exposure across tens of millions of hosted sites reliant on third-party patching cycles.
🛰️ Open sources - closed narratives
@sitreports
CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog, confirming active exploitation of a 9.8 CVSS-rated authentication bypass affecting cPanel and WHM installations. Hosting provider KnownHost disclosed exploitation attempts dating to February 23, weeks before patches shipped Tuesday. At least one small business reported a $7,000 ransomware demand following compromise. Namecheap temporarily blocked cPanel access entirely during the incident window.
Roughly 1.5 million internet-exposed cPanel instances remain visible via Shodan, with successful exploitation granting full server control. The vulnerability affects all supported versions post-11.40, creating exposure across tens of millions of hosted sites reliant on third-party patching cycles.
🛰️ Open sources - closed narratives
@sitreports
🔫 Ubuntu infrastructure under sustained DDoS, extortion demands follow
Canonical confirms its web infrastructure is experiencing a cross-border DDoS attack claimed by pro-Iranian hacktivist group 313 Team. Ubuntu.com and multiple subdomains have been offline for over 12 hours, blocking distro downloads and user account access. The group initially announced a four-hour operation via Telegram but extended the assault with ransom demands, threatening continued disruption unless Canonical contacts them through a provided Session ID.
313 Team has targeted eBay Japan, eBay US, and BlueSky in recent weeks. The shift from hacktivist disruption to explicit extortion marks an operational escalation. No motive for targeting the London-based open source firm has been stated.
🛰️ Open sources - closed narratives
@sitreports
Canonical confirms its web infrastructure is experiencing a cross-border DDoS attack claimed by pro-Iranian hacktivist group 313 Team. Ubuntu.com and multiple subdomains have been offline for over 12 hours, blocking distro downloads and user account access. The group initially announced a four-hour operation via Telegram but extended the assault with ransom demands, threatening continued disruption unless Canonical contacts them through a provided Session ID.
313 Team has targeted eBay Japan, eBay US, and BlueSky in recent weeks. The shift from hacktivist disruption to explicit extortion marks an operational escalation. No motive for targeting the London-based open source firm has been stated.
🛰️ Open sources - closed narratives
@sitreports
🔫 Two Cybersecurity Professionals Sentenced to Four Years for BlackCat Ransomware Operations
Two individuals working in cybersecurity roles have received four-year prison sentences for their participation in BlackCat ransomware attacks, according to reporting from The Hacker News. The case marks a notable prosecution of threat actors who leveraged professional security expertise to conduct criminal operations.
The sentencing highlights ongoing law enforcement focus on dismantling ransomware-as-a-service operations and prosecuting both operators and affiliates. The involvement of credentialed cybersecurity professionals in ransomware activities demonstrates continued insider threat risk and potential exploitation of privileged access for criminal purposes.
🛰️ Open sources - closed narratives
@sitreports
Two individuals working in cybersecurity roles have received four-year prison sentences for their participation in BlackCat ransomware attacks, according to reporting from The Hacker News. The case marks a notable prosecution of threat actors who leveraged professional security expertise to conduct criminal operations.
The sentencing highlights ongoing law enforcement focus on dismantling ransomware-as-a-service operations and prosecuting both operators and affiliates. The involvement of credentialed cybersecurity professionals in ransomware activities demonstrates continued insider threat risk and potential exploitation of privileged access for criminal purposes.
🛰️ Open sources - closed narratives
@sitreports
🔫 Malicious Ruby Gems and Go Modules Target CI/CD Infrastructure
Poisoned software packages in Ruby Gems and Go Modules repositories have been identified exploiting continuous integration pipelines to exfiltrate credentials and sensitive data. The supply chain attack leverages automated build processes that execute untrusted code during dependency installation, according to reporting on the compromise vector.
The incident highlights systemic vulnerability in CI/CD trust models where package managers operate with elevated permissions during automated builds. Organizations relying on public repositories without integrity verification face direct exposure to credential theft through compromised development pipelines.
🛰️ Open sources - closed narratives
@sitreports
Poisoned software packages in Ruby Gems and Go Modules repositories have been identified exploiting continuous integration pipelines to exfiltrate credentials and sensitive data. The supply chain attack leverages automated build processes that execute untrusted code during dependency installation, according to reporting on the compromise vector.
The incident highlights systemic vulnerability in CI/CD trust models where package managers operate with elevated permissions during automated builds. Organizations relying on public repositories without integrity verification face direct exposure to credential theft through compromised development pipelines.
🛰️ Open sources - closed narratives
@sitreports
🔫 cPanel Zero-Day Drives Mass 'Sorry' Ransomware Campaign
A critical authentication bypass flaw in cPanel (CVE-2026-41940) is being mass-exploited to deploy 'Sorry' ransomware across Linux hosting servers. The vulnerability, exploited as a zero-day since late February, has compromised at least 44,000 IP addresses according to Shadowserver monitoring. The Go-based encryptor appends .sorry extensions and uses ChaCha20 encryption with RSA-2048 key protection, making decryption impossible without the private key.
The campaign intensified Thursday with widespread attacks documented by security researchers, leaving hundreds of compromised websites indexed in public search results. All victims receive identical ransom notes with a single Tox contact ID. Emergency patches are available, but exploitation continues to escalate.
🛰️ Open sources - closed narratives
@sitreports
A critical authentication bypass flaw in cPanel (CVE-2026-41940) is being mass-exploited to deploy 'Sorry' ransomware across Linux hosting servers. The vulnerability, exploited as a zero-day since late February, has compromised at least 44,000 IP addresses according to Shadowserver monitoring. The Go-based encryptor appends .sorry extensions and uses ChaCha20 encryption with RSA-2048 key protection, making decryption impossible without the private key.
The campaign intensified Thursday with widespread attacks documented by security researchers, leaving hundreds of compromised websites indexed in public search results. All victims receive identical ransom notes with a single Tox contact ID. Emergency patches are available, but exploitation continues to escalate.
🛰️ Open sources - closed narratives
@sitreports
🔫 Deep#Door RAT embeds Python backdoor inside batch file, disables Windows defenses
Securonix researchers identified a Python-based remote access trojan that self-extracts from a batch script, kills Defender and event logging, then establishes persistence via registry keys, WMI subscriptions, and scheduled tasks. The malware uses bore.pub, a legitimate TCP tunneling service, to mask command-and-control traffic and evade network-based detection.
The campaign demonstrates shift toward fileless, script-driven frameworks that eliminate external payload downloads. Detection should focus on behavioral signals: PowerShell self-referencing commands, writes to SystemServices directories, and outbound connections to bore.pub across ports 41234–41243.
🛰️ Open sources - closed narratives
@sitreports
Securonix researchers identified a Python-based remote access trojan that self-extracts from a batch script, kills Defender and event logging, then establishes persistence via registry keys, WMI subscriptions, and scheduled tasks. The malware uses bore.pub, a legitimate TCP tunneling service, to mask command-and-control traffic and evade network-based detection.
The campaign demonstrates shift toward fileless, script-driven frameworks that eliminate external payload downloads. Detection should focus on behavioral signals: PowerShell self-referencing commands, writes to SystemServices directories, and outbound connections to bore.pub across ports 41234–41243.
🛰️ Open sources - closed narratives
@sitreports
🔍 AiTM Phishing Campaigns Target SaaS Platforms
Threat actors are deploying adversary-in-the-middle login pages to compromise SharePoint, HubSpot, and Google Workspace environments. Recent analysis shows attackers are bypassing endpoint security by targeting SaaS infrastructure directly, exploiting the credential harvesting window during authentication flows.
The shift indicates adversary adaptation to cloud-first enterprise architectures where traditional perimeter defenses offer limited visibility. AiTM techniques allow real-time session token capture, enabling immediate account takeover even when multi-factor authentication is enabled.
🛰️ Open sources - closed narratives
@sitreports
Threat actors are deploying adversary-in-the-middle login pages to compromise SharePoint, HubSpot, and Google Workspace environments. Recent analysis shows attackers are bypassing endpoint security by targeting SaaS infrastructure directly, exploiting the credential harvesting window during authentication flows.
The shift indicates adversary adaptation to cloud-first enterprise architectures where traditional perimeter defenses offer limited visibility. AiTM techniques allow real-time session token capture, enabling immediate account takeover even when multi-factor authentication is enabled.
🛰️ Open sources - closed narratives
@sitreports
🔍 Trellix Confirms Source Code Repository Breach
Cybersecurity firm Trellix disclosed unauthorized access to part of its source code repository, though the company states there is no evidence of code alteration or exploitation. The breach prompted an immediate forensic investigation and law enforcement notification, according to Security Affairs reporting. Details on the threat actor, access duration, and compromised data scope remain undisclosed.
Source code exposure creates risk vectors including vulnerability discovery, exploit development, credential extraction, and supply chain compromise. The incident highlights persistent targeting of security vendor infrastructure, where reconnaissance value exceeds immediate operational impact.
🛰️ Open sources - closed narratives
@sitreports
Cybersecurity firm Trellix disclosed unauthorized access to part of its source code repository, though the company states there is no evidence of code alteration or exploitation. The breach prompted an immediate forensic investigation and law enforcement notification, according to Security Affairs reporting. Details on the threat actor, access duration, and compromised data scope remain undisclosed.
Source code exposure creates risk vectors including vulnerability discovery, exploit development, credential extraction, and supply chain compromise. The incident highlights persistent targeting of security vendor infrastructure, where reconnaissance value exceeds immediate operational impact.
🛰️ Open sources - closed narratives
@sitreports
🔫 cPanelSniper PoC Exploit Framework Released Publicly
A weaponized proof-of-concept framework targeting a critical vulnerability in cPanel and WebHost Manager has been released, according to recent reporting. The exploit enables unauthorized access to vulnerable servers running the widely deployed hosting management platform.
Public availability of the cPanelSniper framework significantly lowers the technical barrier for mass exploitation attempts. Administrators running affected versions face immediate risk of compromise and should prioritize patching operations.
🛰️ Open sources - closed narratives
@sitreports
A weaponized proof-of-concept framework targeting a critical vulnerability in cPanel and WebHost Manager has been released, according to recent reporting. The exploit enables unauthorized access to vulnerable servers running the widely deployed hosting management platform.
Public availability of the cPanelSniper framework significantly lowers the technical barrier for mass exploitation attempts. Administrators running affected versions face immediate risk of compromise and should prioritize patching operations.
🛰️ Open sources - closed narratives
@sitreports
🤖 UK cyber agency warns of AI-driven vulnerability surge
The UK's National Cyber Security Center has issued a warning that AI is exploiting technical debt at scale, creating an imminent "patch wave" that will overwhelm defensive capabilities. NCSC CTO Ollie Whitehouse stated that AI-powered bug hunting tools like Claude Mythos and GPT-5.5-Cyber are rapidly exposing decades of accumulated vulnerabilities, accelerating both discovery and exploitation timelines faster than many organizations can manage.
The agency recommends immediate reduction of internet-facing attack surfaces and prioritizing perimeter defenses, while noting that end-of-life systems may require full replacement rather than patching alone.
🛰️ Open sources - closed narratives
@sitreports
The UK's National Cyber Security Center has issued a warning that AI is exploiting technical debt at scale, creating an imminent "patch wave" that will overwhelm defensive capabilities. NCSC CTO Ollie Whitehouse stated that AI-powered bug hunting tools like Claude Mythos and GPT-5.5-Cyber are rapidly exposing decades of accumulated vulnerabilities, accelerating both discovery and exploitation timelines faster than many organizations can manage.
The agency recommends immediate reduction of internet-facing attack surfaces and prioritizing perimeter defenses, while noting that end-of-life systems may require full replacement rather than patching alone.
🛰️ Open sources - closed narratives
@sitreports
🔍 Five Eyes Agencies Warn Against Rush to Deploy Agentic AI
Cybersecurity agencies from the US, UK, Canada, Australia, and New Zealand issued joint guidance cautioning that agentic AI systems may behave unpredictably and amplify existing organizational vulnerabilities. The document details scenarios where AI agents with excessive permissions could be exploited by insiders or attackers to approve fraudulent payments, delete audit logs, or compromise critical systems through interconnected attack surfaces.
The agencies recommend organizations deploy incrementally, starting with low-risk tasks while maintaining human oversight. Until security standards mature, the guidance prioritizes "resilience, reversibility and risk containment over efficiency gains" — a measured response as agentic AI expands across defense and critical infrastructure sectors.
🛰️ Open sources - closed narratives
@sitreports
Cybersecurity agencies from the US, UK, Canada, Australia, and New Zealand issued joint guidance cautioning that agentic AI systems may behave unpredictably and amplify existing organizational vulnerabilities. The document details scenarios where AI agents with excessive permissions could be exploited by insiders or attackers to approve fraudulent payments, delete audit logs, or compromise critical systems through interconnected attack surfaces.
The agencies recommend organizations deploy incrementally, starting with low-risk tasks while maintaining human oversight. Until security standards mature, the guidance prioritizes "resilience, reversibility and risk containment over efficiency gains" — a measured response as agentic AI expands across defense and critical infrastructure sectors.
🛰️ Open sources - closed narratives
@sitreports
🔍 Instructure Breach Exposes 240M Education Records
Educational technology company Instructure, operator of Canvas learning management system used by nearly 9,000 schools globally, confirmed a cyberattack resulting in data theft. ShinyHunters extortion gang claims responsibility for stealing over 240 million records containing names, email addresses, student IDs, and billions of private messages between students and teachers across 15,000 institutions. The company states that no passwords or financial data appear compromised, though investigations continue.
The incident represents one of the largest education sector breaches by volume, affecting institutions across North America, Europe, and Asia-Pacific. Instructure has deployed patches, rotated application keys, and engaged law enforcement.
🛰️ Open sources - closed narratives
@sitreports
Educational technology company Instructure, operator of Canvas learning management system used by nearly 9,000 schools globally, confirmed a cyberattack resulting in data theft. ShinyHunters extortion gang claims responsibility for stealing over 240 million records containing names, email addresses, student IDs, and billions of private messages between students and teachers across 15,000 institutions. The company states that no passwords or financial data appear compromised, though investigations continue.
The incident represents one of the largest education sector breaches by volume, affecting institutions across North America, Europe, and Asia-Pacific. Instructure has deployed patches, rotated application keys, and engaged law enforcement.
🛰️ Open sources - closed narratives
@sitreports
🔍 Microsoft Defender False Positive Removes DigiCert Root Certificates
Microsoft Defender flagged legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha starting April 30, causing widespread false positives that removed certificates from Windows trust stores globally. The detections targeted two specific DigiCert root certificate entries and removed them from the AuthRoot registry store, according to reporting from BleepingComputer.
Microsoft confirmed the false positives stemmed from detections added after a recent DigiCert breach where attackers obtained valid code-signing certificates used to sign malware. The issue has been resolved in Security Intelligence update 1.449.430.0, which automatically restores removed certificates on affected systems.
🛰️ Open sources - closed narratives
@sitreports
Microsoft Defender flagged legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha starting April 30, causing widespread false positives that removed certificates from Windows trust stores globally. The detections targeted two specific DigiCert root certificate entries and removed them from the AuthRoot registry store, according to reporting from BleepingComputer.
Microsoft confirmed the false positives stemmed from detections added after a recent DigiCert breach where attackers obtained valid code-signing certificates used to sign malware. The issue has been resolved in Security Intelligence update 1.449.430.0, which automatically restores removed certificates on affected systems.
🛰️ Open sources - closed narratives
@sitreports
🔫 cPanel Authentication Bypass Added to CISA KEV Catalog
CISA has added CVE-2026-41940, an authentication bypass flaw in WebPros cPanel and WHM versions after 11.40, to its Known Exploited Vulnerabilities catalog. The vulnerability allows remote attackers to bypass login checks and gain unauthorized control panel access. Shadowserver Foundation reports at least 44,000 IPs compromised and actively scanning, with exploitation dating back to February.
Federal agencies must remediate by May 3, 2026 under BOD 22-01. watchTowr released detection tools after discovering the flaw, while hosting providers including Namecheap have implemented temporary access restrictions to mitigate active exploitation.
🛰️ Open sources - closed narratives
@sitreports
CISA has added CVE-2026-41940, an authentication bypass flaw in WebPros cPanel and WHM versions after 11.40, to its Known Exploited Vulnerabilities catalog. The vulnerability allows remote attackers to bypass login checks and gain unauthorized control panel access. Shadowserver Foundation reports at least 44,000 IPs compromised and actively scanning, with exploitation dating back to February.
Federal agencies must remediate by May 3, 2026 under BOD 22-01. watchTowr released detection tools after discovering the flaw, while hosting providers including Namecheap have implemented temporary access restrictions to mitigate active exploitation.
🛰️ Open sources - closed narratives
@sitreports
🔫 Telegram Mini Apps weaponized for crypto fraud and malware delivery
Researchers have identified a large-scale fraud operation dubbed FEMITBOT exploiting Telegram's Mini App feature to run cryptocurrency scams, impersonate major brands including Apple, NVIDIA, and Disney, and distribute Android malware. The platform uses Telegram bots to launch phishing pages within the app's WebView, creating fake dashboards with fraudulent balances and countdown timers to pressure victims into deposits, while some campaigns push malicious APK files.
CTM360's analysis shows the operation employs shared API responses across multiple domains, tracking pixels, and TLS-validated hosting for rapid rebranding. Users should avoid sideloading APK files and exercise caution with bots requesting deposits or app downloads.
🛰️ Open sources - closed narratives
@sitreports
Researchers have identified a large-scale fraud operation dubbed FEMITBOT exploiting Telegram's Mini App feature to run cryptocurrency scams, impersonate major brands including Apple, NVIDIA, and Disney, and distribute Android malware. The platform uses Telegram bots to launch phishing pages within the app's WebView, creating fake dashboards with fraudulent balances and countdown timers to pressure victims into deposits, while some campaigns push malicious APK files.
CTM360's analysis shows the operation employs shared API responses across multiple domains, tracking pixels, and TLS-validated hosting for rapid rebranding. Users should avoid sideloading APK files and exercise caution with bots requesting deposits or app downloads.
🛰️ Open sources - closed narratives
@sitreports
⚡ CISA Adds Linux Root Escalation Flaw to Active Exploit Catalog
The U.S. Cybersecurity and Infrastructure Security Agency has added CVE-2026-31431, a Linux privilege escalation vulnerability enabling root access, to its Known Exploited Vulnerabilities catalog. The agency confirmed active exploitation in the wild, triggering mandatory patching requirements for federal agencies under Binding Operational Directive 22-01.
The inclusion signals threat actors are actively leveraging the flaw in ongoing campaigns. Linux systems across enterprise and containerized environments face elevated risk, particularly where privilege boundaries are critical to segmentation and containment strategies.
🛰️ Open sources - closed narratives
@sitreports
The U.S. Cybersecurity and Infrastructure Security Agency has added CVE-2026-31431, a Linux privilege escalation vulnerability enabling root access, to its Known Exploited Vulnerabilities catalog. The agency confirmed active exploitation in the wild, triggering mandatory patching requirements for federal agencies under Binding Operational Directive 22-01.
The inclusion signals threat actors are actively leveraging the flaw in ongoing campaigns. Linux systems across enterprise and containerized environments face elevated risk, particularly where privilege boundaries are critical to segmentation and containment strategies.
🛰️ Open sources - closed narratives
@sitreports
🔍 Google Restructures Bug Bounty Programs Amid AI Surge
Google has overhauled its Vulnerability Reward Programs for Android and Chrome, responding to AI-driven automation flooding submissions with low-quality reports. Android's top reward for Pixel Titan M zero-click exploits rises to $1.5M, while Chrome base payouts drop to $500 as Google shifts focus toward quality over quantity. The company now prioritizes complete proof-of-concept submissions with proposed fixes.
Despite individual payout reductions, Google expects total 2026 rewards to exceed 2025's record $17.1M, signaling an evolution in how tech giants balance automation with meaningful security research.
🛰️ Open sources - closed narratives
@sitreports
Google has overhauled its Vulnerability Reward Programs for Android and Chrome, responding to AI-driven automation flooding submissions with low-quality reports. Android's top reward for Pixel Titan M zero-click exploits rises to $1.5M, while Chrome base payouts drop to $500 as Google shifts focus toward quality over quantity. The company now prioritizes complete proof-of-concept submissions with proposed fixes.
Despite individual payout reductions, Google expects total 2026 rewards to exceed 2025's record $17.1M, signaling an evolution in how tech giants balance automation with meaningful security research.
🛰️ Open sources - closed narratives
@sitreports
🔫 Progress patches critical MOVEit Automation authentication bypass
Progress Software fixed two vulnerabilities in MOVEit Automation, including CVE-2026-4670, a critical authentication bypass flaw, and CVE-2026-5174, a privilege escalation issue. The bugs affect versions up to 2025.1.4, 2025.0.8, and 2024.1.7, with no workarounds available. Airbus SecLab researchers discovered and reported the flaws to Progress.
The vulnerabilities pose mass exploitation risk similar to 2023's MOVEit Transfer incident, when Cl0p ransomware gang compromised approximately 1,000 organizations and exposed over 60 million records. Authentication bypass flaws in widely-deployed enterprise file transfer systems enable rapid lateral movement and data theft at scale.
🛰️ Open sources - closed narratives
@sitreports
Progress Software fixed two vulnerabilities in MOVEit Automation, including CVE-2026-4670, a critical authentication bypass flaw, and CVE-2026-5174, a privilege escalation issue. The bugs affect versions up to 2025.1.4, 2025.0.8, and 2024.1.7, with no workarounds available. Airbus SecLab researchers discovered and reported the flaws to Progress.
The vulnerabilities pose mass exploitation risk similar to 2023's MOVEit Transfer incident, when Cl0p ransomware gang compromised approximately 1,000 organizations and exposed over 60 million records. Authentication bypass flaws in widely-deployed enterprise file transfer systems enable rapid lateral movement and data theft at scale.
🛰️ Open sources - closed narratives
@sitreports