Cybersecurity Radar — 2026-05-01

🔴 Critical Alerts

CVE-2026-41940: cPanel Authentication Bypass — Actively Exploited

A critical authentication bypass vulnerability in cPanel (the widely used web hosting control panel) has been confirmed as actively exploited in the wild — and it was being exploited for months before a patch was released. CVE-2026-41940 carries a CVSS score of 9.8, the near-maximum severity rating. CISA has added the flaw to its Known Exploited Vulnerabilities (KEV) list. Over 1.5 million cPanel instances are potentially at risk. Attackers exploiting this bug can gain unauthorized access to web servers — a severe risk for hosting providers, site owners, and managed service providers. Recommended action: Patch immediately. If you manage or rely on cPanel-based hosting, verify your vendor has applied the fix.

Linux Kernel "Copy Fail" Zero-Day — Local Privilege Escalation on All Major Distros Since 2017

A critical zero-day vulnerability in the Linux kernel has been publicly disclosed, enabling any unprivileged local user to obtain root access on virtually every major Linux distribution shipped since 2017. The flaw — dubbed "Copy Fail" — represents a serious supply-chain-level risk affecting servers, cloud workloads, and developer machines alike. Recommended action: Monitor vendor advisories (Red Hat, Ubuntu, Debian, SUSE, etc.) for kernel patches and apply them urgently. Restrict local access on sensitive systems as a temporary mitigation.

2 sources

helpnetsecurity.com

helpnetsecurity.com

cybersecuritynews.com

cybersecuritynews.com

Threat Landscape

Microsoft: 8.3 Billion Phishing Threats in Q1 2026 — QR Code Attacks Up 146%

Microsoft Threat Intelligence has published its Q1 2026 analysis, revealing it detected approximately 8.3 billion email phishing threats in the first quarter of the year. Two notable trends stand out: QR code phishing (also called "quishing") surged 146%, bypassing traditional email security tools that can't parse embedded image-based URLs. CAPTCHA-gated phishing attacks also hit record highs, using challenge mechanisms to filter out automated scanners and ensure only human victims proceed to credential-harvesting pages. The data underscores a rapid sophistication in delivery tactics targeting both enterprises and individuals.

CYFIRMA Weekly Intelligence — May 1, 2026: Ransomware Trends

CYFIRMA's freshly published weekly intelligence report (dated May 1, 2026) highlights ongoing ransomware trends and insights gathered from monitoring threat actor activity. The report reflects the continuing "elevated new normal" of ransomware attack volumes heading into Q2 2026, where attack rates have stabilized at a higher baseline than previous years — reshaping risk expectations for security teams globally. Targeted sectors and specific TTPs are detailed in the full report.

Brazilian Cybercrime Group Resurfaces with LofyStealer Targeting Minecraft Players

A cybercrime group of Brazilian origin has resurfaced after more than three years, launching a new campaign targeting Minecraft players with a novel stealer malware called LofyStealer (also tracked as GrabBot). The group distributes the stealer through gaming communities, leveraging the massive Minecraft player base as a targeting surface. LofyStealer is designed to harvest credentials and sensitive data from infected systems. The campaign illustrates the ongoing threat of info-stealers distributed through gaming and entertainment vectors — often targeting younger, less security-aware demographics.

Manufacturing Sector: Simple Security Mistakes Driving Major Financial Losses

According to cybersecurity insurer Resilience, a single category of "simple security mistakes" caused roughly one-quarter of all cybersecurity-related financial losses in the manufacturing sector in 2025. The report highlights a fundamental tension between operational needs and cybersecurity hygiene in manufacturing environments, where legacy systems, production uptime pressure, and complex supply chains create persistent exposure. The sector remains a high-value target for ransomware actors due to the operational disruption leverage it provides.

1 sources

sqmagazine.co.uk

sqmagazine.co.uk

Vulnerabilities & Patches

CVE-2026-41940 — cPanel Authentication Bypass (CVSS 9.8)

• Affected: cPanel web hosting control panel, all versions prior to patched release
• Impact: Full authentication bypass; attackers can gain unauthorized server access
• Status: Actively exploited; CISA KEV listed; patch now available
• Action: Apply vendor patch immediately; 1.5M+ instances at risk

Linux Kernel "Copy Fail" Zero-Day — Local Privilege Escalation

• Affected: Virtually all major Linux distributions shipped since 2017 (Ubuntu, Debian, Red Hat, SUSE, etc.)
• Impact: Unprivileged local user can obtain root access
• Status: Publicly disclosed; patches expected from major distro vendors
• Action: Monitor distro-specific security advisories; restrict local user access on critical systems pending patch

Krebs on Security: Microsoft Pushes 167 Fixes Including SharePoint Zero-Day

Per Krebs on Security, in the latest patch cycle Microsoft pushed software updates addressing a staggering 167 security vulnerabilities in Windows and related software. The batch included a SharePoint Server zero-day and a publicly disclosed Windows Defender weakness dubbed "BlueHammer." The breadth of this release reinforces the urgency of maintaining a timely patching cadence for all Microsoft environments.

Breaches & Incidents

Chinese State-Backed APTs Targeting State and Local Government Infrastructure

A report from ITIF (published April 27, 2026) provides detailed analysis of an ongoing pattern: Chinese state-backed APT groups are systematically targeting not only federal institutions but also state and local government systems. CrowdStrike reported that more than 1,100 servers belonging to state and local governments were affected in documented incidents, including servers supporting public higher education institutions and K-12 schools. Attackers in at least one instance gained control of a state government website used to publish public-facing documents. Targeted layers include telecom carriers, National Guard and emergency response networks, public sector IT systems, and critical infrastructure backbone services.

U.S. Public Sector Under Siege — Trend Micro Q1 2026 Analysis

Trend Micro's Q1 2026 research report documents a concerted campaign against the U.S. public sector. Key findings: AI is lowering the barrier to sophisticated attacks while simultaneously expanding the attack surface through AI-enabled government services. Nation-state actors have demonstrated the ability to penetrate the highest levels of U.S. government communications. Ransomware groups are now operating with the efficiency of professional enterprises. The convergence of nation-state and criminal ransomware activity — where groups operate with state approval while pursuing both profit and geopolitical objectives — is identified as a defining characteristic of the current threat environment.

Industry & Policy

CISA Adds cPanel CVE-2026-41940 to Known Exploited Vulnerabilities Catalog

CISA has formally added the cPanel authentication bypass (CVE-2026-41940) to its Known Exploited Vulnerabilities catalog, mandating that federal agencies remediate the vulnerability within the standard deadline. The addition signals CISA's assessment that the flaw poses significant risk to federal enterprise infrastructure. Private sector organizations should treat KEV listings as strong signals to prioritize patching regardless of federal mandates.

ITIF Calls for Stronger Federal Support for State/Local Government Cybersecurity

The Information Technology and Innovation Foundation (ITIF) published a comprehensive briefing on April 27 calling for improved federal frameworks to bolster state and local government cybersecurity defenses. The report highlights that Chinese APT activity against sub-federal government targets is systematic and growing, yet resources and coordination mechanisms at the state/local level remain inadequate relative to the threat. Recommendations include improved threat intelligence sharing, dedicated funding streams, and joint federal-state incident response protocols.

What to Watch

• cPanel exploitation spreading: With CVE-2026-41940 now confirmed exploited and CISA-listed, expect opportunistic mass exploitation across the 1.5M+ vulnerable instances in coming days. Web hosting providers and MSPs should treat this as a P1 incident.
• Linux kernel patch race: The "Copy Fail" zero-day public disclosure will accelerate both exploitation attempts and vendor patch releases — watch for kernel security updates from major distributions in the next 24-72 hours and prioritize deployment on internet-exposed or multi-tenant systems.
• QR code phishing campaigns accelerating: With a 146% surge in Q1 2026 per Microsoft telemetry, quishing attacks are now a mainstream enterprise threat vector. Organizations relying on traditional email gateways without image-URL analysis are increasingly exposed; expect more targeted campaigns through Q2.

Reader Action Items

1. Patch cPanel immediately — If your organization uses cPanel or relies on cPanel-based hosting, verify the patch for CVE-2026-41940 (CVSS 9.8) has been applied. Contact your hosting provider if you don't manage cPanel directly. This is an actively exploited, CISA KEV-listed vulnerability.

2. Monitor for Linux kernel security updates — Check your Linux distribution's security advisories today for patches addressing the "Copy Fail" local privilege escalation zero-day. Prioritize patching on shared/multi-tenant systems, cloud VMs, and any server accessible by untrusted local users. Apply patches as soon as distros release them.

3. Update email security policies to address QR code phishing — Review whether your email security gateway and endpoint protection can analyze URLs embedded within QR code images. Implement user awareness training on quishing tactics, and consider policies that flag or quarantine emails containing QR codes from external senders, particularly in finance, HR, and executive communications.