MOVEit Automation CVE-2026-4670, Critical Authentication Bypass Leads a Fresh Patch Queue
Finding: MOVEit Automation authentication bypass, CVE-2026-4670
Confidence: Medium
Progress MOVEit Automation versions before 2025.1.5, 2025.0.9, and 2024.1.8 are affected by a critical authentication bypass tracked as CVE-2026-4670 and WID-SEC-2026-1336. BSI CERT-Bund lists the advisory, and BleepingComputer reports the fixed version branches, giving this item enough corroboration to lead today’s public content.
The risk is straightforward: managed file transfer automation often sits close to sensitive data flows, partner connectivity, and scheduled operational jobs. Internet-facing MOVEit Automation nodes should be treated as the first inventory target, followed by internal systems with privileged automation workflows.
Update: Linux Copy Fail active exploitation confirmed, CVE-2026-31431
Confidence: High
CISA has added Linux Copy Fail, CVE-2026-31431, to the Known Exploited Vulnerabilities Catalog with a remediation due date of 2026-05-15. BleepingComputer also reports exploitation activity, which changes the posture from local privilege-escalation exposure to active exploitation pressure.
This is an update rather than a new finding, but it is the most urgent operational item in today’s evidence. Linux estate owners should identify affected kernels, prioritise internet-facing and high-value systems, and align remediation to the CISA KEV deadline.
Finding: Ubuntu Exim CVE-2026-40685 and curl CVE-2026-4873 fixes
Confidence: Medium
Ubuntu USN-8228-1 fixes Exim issues including CVE-2026-40685, described in the source material as malformed JSON header parsing that could lead to arbitrary code execution and information disclosure. Mail relays and exposed Exim hosts deserve early attention because mail infrastructure often has broad reach and uneven maintenance windows.
Ubuntu USN-8227-1 fixes curl connection-reuse issues including CVE-2026-4873, CVE-2026-5545, and CVE-2026-5773. The main concern is sensitive-information exposure in workloads that use curl or libcurl for authenticated service-to-service requests.
Finding: BSI advisories widen the watch list
Confidence: Low
BSI CERT-Bund lists new advisories for Rancher, D-LINK M60, OPNsense, IBM Langflow, Qt, Langflow, Keycloak, FreeBSD, GnuTLS, Wireshark, vm2, and Bitwarden CLI. These are useful watch signals, but many currently have limited readable detail and should not be overstated without vendor confirmation, CVE mapping, or affected-version detail.
The practical move is not panic patching. Build an owner-mapped inventory for Rancher, OPNsense, D-LINK M60, Keycloak, Langflow, and Qt-bearing applications, then enrich each advisory against vendor pages before raising customer-specific severity.
Why This Matters
Today’s change is quality, not volume. The MOVEit Automation item gives security teams a specific new critical application to check, and the Linux Copy Fail KEV listing gives patch teams a dated exploitation-driven deadline.
The broader BSI set matters because it touches control-plane software, perimeter devices, identity, developer tools, and application runtimes. Most of those items still need enrichment, but they are good triggers for asset discovery now.
- Recommended Actions
- Upgrade MOVEit Automation to 2025.1.5, 2025.0.9, or 2024.1.8 or later, starting with internet-facing automation nodes.
- Inventory Linux kernels for CVE-2026-31431 exposure and schedule remediation before the 2026-05-15 CISA KEV due date.
- Patch Ubuntu Exim and curl packages where deployed, especially mail relays and systems using authenticated curl/libcurl requests.
- Inventory Rancher, OPNsense, D-LINK M60, Keycloak, Langflow, and Qt-bearing applications, then restrict exposed admin surfaces.
- Enrich low-confidence BSI WID advisories with vendor references, affected versions, and CVE mappings before escalating severity.
All findings grounded in a13e intelligence sweeps through 03:25 UTC 05 May 2026.