Exploit Cyber-Frenzy: Critical cPanel Vulnerability and Other Current Threats

The cybersecurity field is experiencing heightened activity, marked by the rapid exploitation of critical vulnerabilities. A significant concern is the widespread exploit cyber-frenzy threatening millions via a critical cPanel vulnerability, which has seen attackers move with unprecedented speed. This incident, alongside other notable threats, shows the continuous pressure on security teams to implement timely defenses.

Understanding these threats requires a factual assessment of the attack vectors, the scale of potential impact, and the underlying factors that enable rapid exploitation. Organizations must prioritize accurate cyber threat intelligence platform capabilities to gain insights into such accelerated attack cycles. This ensures that defensive measures are proportionate and effective against the latest threats.

This post examines recent developments across critical software vulnerabilities, platform compromises, and the evolving nature of cyberattacks, including the impact of AI. It provides an overview of the technical details and practical implications for both security professionals and business leaders.

Exploit Cyber-Frenzy: Critical cPanel Vulnerability Under Siege

A critical authentication bypass flaw identified as CVE-2026-41940 in cPanel, WebHost Manager (WHM), and WP Squared products has become a focal point for threat actors. This vulnerability, assigned a CVSS score of 9.8, permits unauthenticated attackers to gain administrative access, potentially leading to server and hosted website compromise. The flaw impacts all supported versions of the affected cPanel software.

The timeline of exploitation for CVE-2026-41940 shows an accelerated attack cycle. cPanel issued a security update on April 28, 2026. The next day, April 29, 2026, WatchTowr Labs publicly disclosed a proof-of-concept (PoC) exploit along with a technical analysis, detailing the flaw as a "disaster." KnownHost, a managed cPanel hosting provider, later confirmed that the vulnerability had been exploited as a zero-day for "at least 30 days" prior to disclosure, with activity traces dating back to February 23, 2026.

Internet scanning by Censys revealed approximately 15,000 potentially compromised instances within the first 24 hours following disclosure. Security researchers from Defused observed over 1,000 exploit attempts on their honeypots, indicating a high volume of global exploitation. This activity shows the minimal window defenders have to patch critical flaws. This threat has a substantial scope, as over 800,000 cPanel instances are indexed by services like Shodan, collectively powering an estimated 70 million domains. You can find more details on this specific vulnerability in our analysis of CVE-2026-41940: cPanel/WHM May 04.

Attack methods against CVE-2026-41940 included the deployment of Mirai botnet variants. Many vulnerable instances were also targeted with ransomware that encrypts files and appends them with a ".sorry" extension. A victim, Yousef Alsahijan, reported a "highly organized, multistage operation" where the entire attack chain-from initial access to full encryption-transpired within minutes, bypassing both credentials and two-factor authentication. Further insights into cPanel ransomware threats are available in our post on Ransomware Threat Activity: Qilin, cPanel May 03.

Several factors contributed to the rapid exploitation of this cPanel flaw. Threat actors possessed pre-disclosure knowledge of the vulnerability, allowing them to prepare. The technical differences between vulnerable versions and cPanel's patches were minimal, involving changes to only three files, which provided a clear "road map" for attackers through patch diffing. The detailed WatchTowr write-up further facilitated weaponization. Other PoC exploits, such as "cPanel Sniper," also emerged concurrently. The initial cPanel advisory, described as "terse," offered little detail, potentially slowing defenders while attackers used technical documentation and public PoCs. The nature of the vulnerability, affecting all supported versions and exposed on management interfaces (typically port 2087), presented a large, uniform, and accessible attack surface. For a broader view of recent threats, consider our overview of Recent Cyber Vulnerabilities May 02.

For organizations operating cPanel software, immediate action is necessary. Picus Security advised the following:

  • Upgrade to fixed versions promptly.
  • Rotate all affected credentials, including root-level account and WHM reseller passwords, API tokens, and SSH keys.
  • Purge all cPanel sessions.
  • Conduct thorough hunts for signs of persistence, such as custom WHM hooks.
  • If immediate patching is not feasible, implement temporary network-level mitigations by blocking inbound traffic to TCP/2083, TCP/2087, TCP/2095, and TCP/2096.

This situation shows that strong real-time ransomware intelligence and effective breach detection mechanisms are needed to respond to fast-moving threats.

How are Critical Linux Systems Being Rooted via 'Copy Fail'?

Critical Linux systems are being rooted via the "Copy Fail" vulnerability, tracked as CVE-2026-31431, found in the Linux kernel's algif_aead cryptographic algorithm interface. This flaw allows unprivileged local users to gain root privileges on unpatched Linux systems by writing four controlled bytes to the page cache of any readable file. The ease of exploitation presents a significant risk to Linux-based infrastructure.

Theori researchers publicly disclosed this vulnerability and a "100% reliable" Python-based exploit script. This exploit has been demonstrated to successfully root systems running Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16. The researchers further noted that the same script can reliably compromise any Linux distribution released since 2017 that incorporates a vulnerable kernel version.

In response to the active exploitation, CISA added CVE-2026-31431 to its Known Exploited Vulnerabilities (KEV) Catalog. The agency has mandated that Federal Civilian Executive Branch (FCEB) agencies patch their Linux endpoints and servers by May 15, 2026, as per Binding Operational Directive (BOD) 22-01. CISA stresses that this type of vulnerability is a common attack vector with substantial risks to federal and private enterprises, urging all security teams to prioritize patching. This incident follows other significant Linux vulnerabilities, such as CVE-2026-41651, dubbed "Pack2TheRoot," another high-severity root-privilege escalation flaw that had persisted for over a decade in the PackageKit daemon before being patched. Organizations should focus on supply-chain risk monitoring for their Linux distributions and kernel components.

MOVEit Automation: A New Authentication Bypass Flaw

Progress Software has issued a warning to customers regarding a critical authentication bypass vulnerability, CVE-2026-4670, affecting its MOVEit Automation enterprise-grade managed file transfer (MFT) application. This flaw impacts MOVEit Automation versions preceding 2025.1.5, 2025.0.9, and 2024.1.8. It permits remote threat actors to exploit systems without needing prior privileges or user interaction, classifying it as a low-complexity attack vector.

Progress also released security updates to mitigate CVE-2026-5174, a high-severity privilege escalation vulnerability resulting from improper input validation within the same software. Remediation for both issues requires an upgrade to the latest patched version using the full installer, which will cause a system outage during the process.

Shodan scans indicate over 1,400 MOVEit Automation instances are exposed online, with a dozen linked to U.S. local and state government agencies. While there is no current confirmation of active exploitation for these specific vulnerabilities, MFT software remains an attractive target for ransomware groups. The Clop ransomware gang extensively exploited a zero-day in MOVEit Transfer in 2023, impacting over 2,100 organizations and 62 million individuals. Previous targets for ransomware groups exploiting MFT vulnerabilities include Accellion FTA, SolarWinds Serv-U, Gladinet CentreStack, GoAnywhere MFT, and Cleo. Given that MOVEit MFT solutions serve more than 3,000 enterprises and 100,000 users globally, supply-chain risk monitoring is crucial.

The Rise of AI-Assisted Attacks: Lowering the Barrier to Entry

The year 2026 is seeing a significant shift in the cyber threat environment, marked by "AI-Assisted Attacks." The accessibility of sophisticated AI tools, particularly large language model (LLM)-backed chat and agent systems, has lowered the technical barrier to entry for conducting complex cyberattacks. This enables non-technical individuals to execute operations previously characteristic of skilled hackers or organized teams.

Several incidents illustrate this trend. In December 2025, a 17-year-old with no technical background was arrested in Osaka, Japan, for using malicious code to extract personal data from over 7 million users of Kaikatsu Club, a large internet cafe chain. Their stated motivation was to purchase Pokémon cards. Earlier, in February 2025, three teenagers aged 14, 15, and 16, with no coding experience, utilized ChatGPT to develop a tool that attacked Rakuten Mobile's system approximately 220,000 times, spending their illicit gains on gaming consoles and online gambling. A single actor in July 2025 used Claude Code, an advanced agentic coding platform, to orchestrate an extortion campaign targeting 17 organizations within a month. This individual employed AI to develop malicious code, organize stolen files, analyze financial records for demand calibration, and draft extortion emails. Another instance in December 2025 involved an individual using Claude Code and ChatGPT to breach the Mexican government, compromising over 10 agencies and stealing more than 195 million taxpayer records. These cases demonstrate a trend in AI-driven attack capabilities.

Quantitative data supports increased attack activity. According to Sonatype, malicious packages discovered in public repositories increased by 75%, from 55,000 in 2022 to 454,600 by 2025. Notable spikes in this increase occurred in 2023, coinciding with the release of GPT-4, and 2025, a landmark year for agentic coding platforms. Crowdstrike reported a 35% increase in cloud intrusions, while Hoxhunt found that AI-generated phishing attacks now outperform human red teams.

The "time to exploit" metric has also seen a significant reduction, decreasing from over 700 days in 2020 to only 44 days in 2025, according to Flashpoint. This means attackers are creating exploits for known vulnerabilities in a fraction of the time previously observed. The Mandiant M-Trends 2026 report and Vulncheck's 2025 findings indicate that "time-to-exploit" has turned negative, with 28.3% of CVEs being exploited within 24 hours of disclosure; exploits are often available before patches. This accelerated attack timeline highlights the need for a sophisticated cyber threat intelligence platform capable of dark web monitoring service and underground forum intelligence to anticipate threats.

The performance of frontier LLM models, such as ChatGPT, Claude, and Gemini, on software development benchmarks like SWE-bench, improved substantially. In August 2024, top models resolved 33% of real GitHub issues on the bench, a figure that climbed to nearly 81% by December 2025. This indicates that AI's ability to assist in software development, including malicious code creation, has significantly improved.

Defenders face mounting challenges. The average time to remediate a known high- or critical-severity CVE is 74 days, according to the Edgescan 2025 Vulnerability Statistics Report. Also, 45% of vulnerabilities in systems maintained by large companies (1000+ employees) are never remediated. Supply chain attacks have become more frequent and impactful; for instance, the Shai-Hulud attack in September 2025 compromised over 500 packages in the npm ecosystem, leading to 487 organizations having secrets compromised and $8.5 million stolen from Trust Wallet due to exposed credentials. The detection of AI-generated malware is also problematic, as malicious npm packages designed to mimic legitimate libraries with documentation and unit tests can bypass traditional static analysis and signature scanners. To counter these, solutions like brand leak alerting are becoming essential.

The current environment requires a strategic shift to "deleting categories of attack" instead of just attempting to outrun them. Approaches such as Chainguard Libraries, which rebuild open-source libraries from verified, attributable source code, have demonstrated effectiveness by blocking 99.7% of 8,783 malicious npm packages and approximately 98% of 3,000 malicious Python packages.

The CloudZ malware, a new version of a remote access tool (RAT), targets Microsoft Phone Link by deploying a previously unseen malicious plugin named Pheno. This plugin is designed to hijack the Microsoft Phone Link connection to steal sensitive information, including SMS messages and one-time passwords (OTPs), directly from mobile devices. This method bypasses the need for direct mobile device compromise.

The intrusion activity involving CloudZ and Pheno has been ongoing since at least January. Cisco Talos researchers observed that the threat actor's objective was to acquire credentials and temporary passcodes. Pheno functions by monitoring for active Phone Link sessions on the victim's Windows machine and then accessing its local SQLite database, which stores a history of SMS messages and potentially OTPs. This enables the attacker to intercept crucial authentication data without directly affecting the mobile device itself.

Beyond the capabilities of the Pheno plugin, the CloudZ RAT has broader functionality, including:

  • Targeting data stored in web browsers.
  • Profiling host systems for reconnaissance.
  • Executing file management operations such as deletion, downloading, and writing files.
  • Executing shell commands.
  • Initiating screen recording.
  • Managing plugins (loading, removing, saving to disk).
  • Terminating its own RAT process to evade detection.

The CloudZ malware employs anti-detection techniques, rotating between three hardcoded user-agent strings to make its HTTP traffic appear as legitimate browser requests. Each HTTP request includes anti-caching headers to obscure command and control (C2) or staging server details. The initial access vector for this malware remains unconfirmed, but the infection typically begins with the victim executing a fake ScreenConnect update. This update drops a Rust-based loader, which in turn deploys a .NET loader. The .NET loader then installs the CloudZ RAT and establishes persistence through a scheduled task. This loader also incorporates anti-analysis checks, including time-based sandbox evasion and checks for common analysis tools like Wireshark, Fiddler, Procmon, and Sysmon, as well as strings associated with virtual machines and sandboxes.

To mitigate the risk of such attacks, organizations and individuals should consider alternatives to SMS-based OTP services, opting for authenticator applications that do not rely on push notifications that could be intercepted. For highly sensitive information, transitioning to phishing-resistant solutions, such as hardware security keys, is recommended. Effective credential intelligence solutions are vital in understanding and protecting against such sophisticated credential theft campaigns.

Technical Takeaways

  • CVE-2026-41940 in cPanel represents a critical authentication bypass, actively exploited as a zero-day for at least 30 days prior to public disclosure, leading to widespread compromises with Mirai botnets and ".sorry" ransomware."
  • The "Copy Fail" vulnerability, CVE-2026-31431, allows unprivileged local users to gain root access on Linux systems, with CISA mandating patches for federal agencies due to active exploitation.
  • A new critical authentication bypass, CVE-2026-4670, in MOVEit Automation necessitates urgent patching, reflecting the ongoing targeting of MFT software by threat actors like the Clop ransomware gang.
  • AI-assisted attacks are lowering the technical barrier for cybercrime, leading to significant increases in malicious packages (454,600 by 2025), cloud intrusions (35% increase), and a significantly reduced "time to exploit" for vulnerabilities (down to 44 days).
  • The CloudZ RAT with its Pheno plugin specifically targets Microsoft Phone Link to steal SMS and OTPs from local SQLite databases, showing an evolution in credential theft tactics and necessitating a move to hardware-based authentication.