Cybersecurity Radar — 2026-05-05

---

🔴 Critical Alerts

CVE-2026-41940: cPanel Authentication Bypass — Now Under Mass Multi-Actor Exploitation

What was already a serious zero-day has escalated dramatically. Multiple distinct threat actors are now actively exploiting the critical cPanel authentication bypass vulnerability (CVE-2026-41940), which had previously been quietly abused for months before a patch was released. The latest reporting confirms the situation has evolved into coordinated, multi-actor exploitation — with attackers breaching websites and deploying "Sorry" ransomware against victims.

Affected: Any organization or hosting provider running unpatched cPanel/WHM. The attack surface is enormous, as cPanel is one of the most widely deployed web hosting control panels in the world.

Severity: Critical. Authentication bypass enabling full account takeover and ransomware deployment.

Recommended Action: Apply the cPanel patch immediately. Audit all cPanel/WHM instances for indicators of compromise. Monitor for unauthorized account activity and file encryption events.

CISA / Linux Kernel: Newly Added KEV Catalog Entry

CISA added a recently disclosed Linux kernel security flaw to its Known Exploited Vulnerabilities (KEV) catalog on May 3, 2026, citing evidence of active exploitation in the wild. The advisory covers multiple Linux distributions and signals active in-the-wild abuse.

Affected: Linux distributions across enterprise and cloud environments.

Severity: High — active exploitation confirmed by CISA.

Recommended Action: Federal agencies must patch per BOD 22-01 deadlines. All organizations should prioritize applying available Linux kernel security updates. Check CISA's KEV catalog for specific deadline and remediation guidance.

---

Threat Landscape

AI Is Supercharging Cyberattacks in 2026

A new analysis from The Hacker News characterizes 2026 as "The Year of AI-Assisted Attacks," noting that AI tooling is dramatically lowering the barrier for threat actors to launch sophisticated campaigns. Key findings include a breach affecting 7 million users enabled by AI-assisted techniques, and a broader acceleration in exploit development timelines. AI is both increasing attack scale and compressing the window between vulnerability disclosure and active exploitation.

cPanel CVE-2026-41940: "Sorry" Ransomware Deployed at Scale

The cPanel zero-day exploitation is now directly tied to ransomware delivery. BleepingComputer reported on May 3 that the CVE-2026-41940 flaw is being mass-exploited to breach websites and encrypt data via a strain called "Sorry" ransomware. WatchTowr Labs published detailed technical analysis, describing the flaw as an authentication bypass in cPanel/WHM that has been exploited for months prior to patching.

TTPs: Authentication bypass → full account takeover → ransomware deployment. The extended pre-patch exploitation window suggests initial access was sold or shared among multiple threat groups.

State CISOs at NASCIO Warn of AI-Driven Threat Complexity

Cyber threat outlooks shared by CIOs and CISOs at the NASCIO Midyear Conference in Philadelphia ranged from cautiously optimistic to deeply concerned, with AI front and center in nearly every discussion. State-level security leaders described a "tale of two states" — some jurisdictions advancing AI-powered defenses while others struggle with legacy infrastructure and resource gaps that leave them exposed to increasingly AI-assisted adversaries.

---

Vulnerabilities & Patches

CVE Statistics Q2 2026: Volume and Severity at a Glance

New data from SQ Magazine (published 1 day ago) summarizes NVD vulnerability statistics for early Q2 2026: 6,153 vulnerabilities catalogued, with 8.66% rated Critical and 35.7% rated High. The mean CVSS score is 6.52. Linux and Microsoft remain the top affected vendors by volume — a reminder that the two most pervasive infrastructure platforms continue to generate the highest patch load for security teams.

CVE-2026-41940 — cPanel/WHM Authentication Bypass (Critical)

• Product: cPanel & WHM (web hosting control panel)
• Impact: Complete authentication bypass allowing unauthenticated attackers to take over accounts and deploy ransomware
• Status: Patch available; active mass exploitation underway by multiple threat actors
• Action: Patch immediately; audit for compromise

Linux Kernel — CISA KEV Addition (Active Exploitation)

• Product: Multiple Linux distributions
• Impact: Exploitation details per CISA KEV catalog
• Status: Added to CISA KEV on May 3, 2026; active exploitation confirmed
• Action: Apply available patches; federal agencies subject to BOD 22-01 deadline

---

Breaches & Incidents

2026's Breach Roster So Far: FBI, 1B Android Devices, 270M iPhones

A retrospective summary from TechRepublic (published approximately 2 weeks ago — included for context as a recently published roundup) catalogues the biggest cyberattacks of 2026 to date. The list includes a confirmed breach of FBI systems, exposure of approximately 1 billion Android devices at risk, and 270 million iPhones made vulnerable via the so-called "DarkSword" iPhone exploit. These incidents collectively underscore the scale of risk across both law enforcement and consumer device ecosystems in 2026.

Note: Verify specific details directly with source, as breach scopes can be updated.

cPanel Zero-Day Victims: Web Hosting Providers and Customers Worldwide

The ongoing mass exploitation of CVE-2026-41940 represents a significant breach-scale event affecting an unknown but potentially large number of websites and hosting customers globally. Victims have had their cPanel accounts compromised and data encrypted by "Sorry" ransomware. Response status: patching is available but exploitation is active — organizations that have not patched remain at acute risk.

---

Industry & Policy

Cybersecurity M&A: 33 Deals Announced in April 2026

The cybersecurity industry saw robust consolidation activity in April 2026, with 33 merger and acquisition deals announced during the month. Notable transactions involved Airbus, Cyera, Fortra, Palo Alto Networks, Silverfort, and Socket. The deal volume signals continued investor confidence in security tooling even amid market uncertainty, and reflects vendor strategies to bundle capabilities across identity, data security, and application security domains.

CISA KEV Catalog Grows: Linux Flaw Added May 3

CISA's Known Exploited Vulnerabilities catalog received a new entry on May 3, 2026 — a Linux kernel flaw under active exploitation. This continues CISA's aggressive posture of rapidly cataloguing confirmed in-the-wild exploits to drive federal remediation timelines and provide private sector guidance. Organizations should monitor the KEV catalog as an authoritative source of highest-priority patches.

---

What to Watch

• cPanel exploitation escalation: With multiple threat actors now piling onto CVE-2026-41940, expect the "Sorry" ransomware campaign to intensify and potentially spawn copycat operators in the coming days. Hosting providers face the greatest immediate risk.
• AI-assisted attack tooling proliferation: The AI attack capability gap between well-resourced and novice threat actors is closing rapidly. Watch for lower-sophistication groups deploying AI-accelerated phishing, vulnerability scanning, and exploit development in Q2 2026.
• Linux and Microsoft patch cadence: With 6,153+ CVEs already catalogued in early Q2 and Linux/Microsoft leading in affected vendor volume, teams should prepare for a heavy patching cycle through the coming weeks, particularly for KEV-listed flaws with active exploitation.

---

Reader Action Items

1. Patch cPanel/WHM immediately. CVE-2026-41940 is being actively mass-exploited by multiple threat actors right now. If your organization runs cPanel, apply the available patch today and conduct a full audit of your hosting environment for indicators of compromise, including unauthorized account activity and file encryption.

2. Check CISA's KEV catalog and patch Linux systems. The newly added Linux kernel vulnerability (added May 3) carries a mandatory remediation deadline for federal agencies and represents a high-priority patch for all organizations running Linux infrastructure. Review your Linux patch status now.

3. Audit AI exposure in your attack surface. Given the confirmed trend of AI lowering attack barriers — enabling larger breaches and faster exploits — review your organization's AI-enabled services and public-facing attack surface. Prioritize visibility into identity and authentication controls, which remain primary targets as attackers leverage AI to accelerate credential attacks.