Here are today’s top cybersecurity stories for Tuesday, May 5, 2026.
Critical MOVEit Automation Authentication Bypass CVE-2026-4670 — CVSS 9.8 — Patch Now
Progress Software has patched two vulnerabilities in MOVEit Automation: CVE-2026-4670, a CVSS 9.8 authentication bypass in the service backend command port interface, and CVE-2026-5174, a privilege escalation flaw. Together, the two bugs allow unauthenticated remote attackers to gain full administrative control of affected MOVEit Automation instances. Affected versions include 2025.1.4 and earlier, 2025.0.8 and earlier, and 2024.1.7 and earlier. No active exploitation has been reported, but MOVEit’s history as a high-value target — it was at the centre of Clop’s 2023 mass-exploitation campaign — makes rapid patching essential. Fixes are available in versions 2025.1.5, 2025.0.9, and 2024.1.8.
The Hacker News | Help Net Security
Apache HTTP Server CVE-2026-23918: CVSS 8.8 HTTP/2 Double Free Flaw Enables DoS and Possible RCE
Apache released version 2.4.67 to address CVE-2026-23918, a double-free memory corruption bug in the HTTP/2 protocol handler affecting version 2.4.66. The flaw triggers when a client sends an HTTP/2 HEADERS frame immediately followed by RST_STREAM with a non-zero error code on the same stream before the multiplexer registers it. Successful exploitation leads to denial of service or, in the worst case, remote code execution. Organizations running Apache 2.4.66 should upgrade to 2.4.67 immediately.
The Hacker News
Cisco Talos Exposes UAT-8302: China-Nexus APT Targeting South American and European Governments
Cisco Talos has disclosed UAT-8302, a China-aligned advanced persistent threat group targeting government entities in South America since at least late 2024 and southeastern European government agencies in 2025. The group deploys shared China-nexus tooling including NetDraft, CloudSorcerer 3.0, and VShell, gaining initial access through web application exploits. Post-compromise activity includes credential extraction, lateral movement via Impacket, and the use of proxying tools. Talos assesses UAT-8302’s primary mission as obtaining and maintaining long-term access to government networks worldwide.
The Hacker News | Cisco Talos
AccountDumpling: 30,000 Facebook Business Accounts Stolen via Google AppSheet Phishing
A Vietnam-linked operation codenamed AccountDumpling by Guardio has compromised an estimated 30,000 Facebook Business accounts by routing phishing emails through Google’s AppSheet platform. Because the emails originate from noreply@appsheet.com, they pass SPF, DKIM, and DMARC verification and bypass most enterprise spam filters. Lures include fake copyright complaints, account disablement notices, and executive recruitment claims. The campaign steals Facebook credentials, two-factor authentication codes, session cookies, and government ID documents.
The Hacker News
MetInfo CMS CVE-2026-29014: CVSS 9.8 Unauthenticated PHP Code Injection Actively Exploited
Threat actors are actively exploiting CVE-2026-29014, a CVSS 9.8 unauthenticated PHP code injection flaw in MetInfo CMS versions 7.9, 8.0, and 8.1. Exploitation requires the WeChat plugin to be installed. Attackers write malicious PHP into a cache file via a vulnerable request handler and execute it remotely. Exploitation activity spiked on May 1, with attacks originating from IP addresses in China and Hong Kong. Approximately 2,000 instances are publicly accessible online. MetInfo released patches on April 7, 2026; unpatched installations are being actively targeted.
The Hacker News
CISA Launches CI Fortify: Resilience Initiative for Critical Infrastructure Operators
CISA unveiled CI Fortify on May 5, a new program designed to help critical infrastructure entities maintain essential services during cyberattacks and geopolitical conflict. Guidance directs operators to build isolation and recovery capabilities and to assume that third-party connections — including internet, telecommunications, and vendor access — will become unreliable in a conflict scenario. CISA will support implementation through targeted assessments, exercises, and a pilot phase already underway. The initiative applies across all 16 critical infrastructure sectors.
CISA
ShinyHunters Claims CarGurus Breach: 12.4 Million Records Exposed
ShinyHunters has leaked a 6.1GB archive containing data on an estimated 12.4 million CarGurus users, including names, email addresses, phone numbers, physical and IP addresses, auto finance application outcomes, and dealer subscription information. The breach is attributed to ShinyHunters’ standard social engineering playbook, targeting SaaS platform access via vishing and credential-harvesting pages. CarGurus has acknowledged the incident but disputes the scale. CarGurus operates across Canada, making this relevant to Canadian users who submitted auto finance pre-qualification applications.
SecurityWeek | BleepingComputer
RSAC 2026: Agentic AI and Post-Quantum Cryptography Dominate the Conference
RSA Conference 2026 is underway in San Francisco, with agentic AI and post-quantum cryptography as the two defining themes. Geordie AI won the Innovation Sandbox contest for its enterprise AI agent visibility platform. Major vendor announcements include Arctic Wolf’s Aurora Agentic SOC, 1Password Unified Access for AI agent identity security, and Orca Security’s new Threat Investigation Agent. Post-quantum cryptography timelines are drawing significant attention, with multiple vendors warning that disruption timelines are shortening faster than enterprise roadmaps account for.
SecurityWeek
CIRCIA Final Rule Expected May 2026: 72-Hour Cyber Incident Reporting Mandate Approaching
CISA’s Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) final rule is expected to be published this month after multiple delays. The rule will require critical infrastructure owners and operators to report significant cyber incidents to CISA within 72 hours of discovery and ransomware payments within 24 hours. The rule applies to 16 critical infrastructure sectors. Organizations that have not yet reviewed their incident response workflows against the forthcoming CIRCIA requirements should do so immediately ahead of the rule’s publication.
CyberScoop
Stay tuned for today’s in-depth analysis posts.
