Issue #004 · May 6, 2026
Cyber Threat Brief — Issue #004
What's active. What matters. What to do about it.
Active Campaigns
A critical authentication bypass in cPanel and WHM was exploited in the wild for approximately two months before a patch was released on April 28, 2026 — making it a true zero-day for the entire window attackers had it to themselves. The flaw requires zero credentials to exploit: a handful of HTTP requests and knowledge of one trick grants full administrative access to the hosting control panel and every website, database, and email account it manages. Within days of public disclosure, exploratory probing evolved into multi-actor exploitation including ransomware deployment, Mirai botnet installation, website defacement, and credential harvesting. Censys identified over 8,800 hosts with files encrypted by the .sorry ransomware extension. A separate nation-state-linked actor was observed targeting government and military entities in Southeast Asia using the same vulnerability as an entry point.
A privilege escalation vulnerability in the Linux kernel dubbed Copy Fail was publicly disclosed on April 29, 2026 — and actively exploited within 24 hours of a working proof-of-concept being published. The flaw affects every mainstream Linux distribution built since 2017, including Ubuntu, Amazon Linux, Red Hat Enterprise Linux, SUSE, Debian, Fedora, and Arch. An unprivileged local user needs only a 732-byte Python script to reliably escalate to root with no network access required. The exploit works unmodified across distributions, making it a universal post-exploitation tool for any attacker who has already gained a foothold on a Linux system. Go and Rust versions of the exploit have already appeared in open-source repositories. Microsoft's Defender Security Research Team confirmed preliminary testing activity suggesting increased threat actor exploitation was imminent. CISA added it to the KEV catalog with a federal remediation deadline of May 15, 2026.
A member of the China-linked threat group Silk Typhoon has been extradited to the United States to face charges related to cyberattacks targeting COVID-19 vaccine research institutions and government agencies. Silk Typhoon — previously tracked for its exploitation of Microsoft Exchange zero-days and targeting of US Treasury systems — operates under the direction of China's Ministry of State Security. The extradition marks a rare instance of the US government successfully bringing a Chinese state-sponsored actor to face criminal proceedings, and signals continued DOJ pressure on nation-state cyber actors despite the diplomatic complexity of such prosecutions.
CVE Watch
PRODUCT: cPanel & WHM (Web Host Manager)
WHAT IT MEANS:
An authentication bypass in cPanel — the control panel software running behind approximately 1.5 million internet-exposed hosting servers — allows an unauthenticated attacker to gain full administrative access without a password. The flaw was exploited in the wild for roughly two months before a patch existed. Gaining WHM access means controlling the entire hosting environment: every website, database, email account, and DNS configuration on that server. On shared hosting, one compromised WHM instance exposes every customer account on that server simultaneously. Active exploitation has already resulted in ransomware deployment, botnet installation, and targeted nation-state intrusions.
ACTION:Update cPanel and WHM immediately to the patched version; if patching is not immediately possible, block inbound traffic to ports 2083, 2087, 2095, and 2096, and run cPanel's detection script to check for compromise indicators in session files.
PRODUCT: Linux Kernel (all major distributions, kernels built 2017–present)
WHAT IT MEANS:
A nine-year-old logic bug in the Linux kernel's cryptographic subsystem allows any unprivileged local user to escalate to full root access using a 732-byte Python script that is 100% reliable across Ubuntu, Amazon Linux, Red Hat Enterprise Linux, SUSE, Debian, and every other mainstream Linux distribution running affected kernel versions. No network access required. No special permissions required. The exploit works unmodified across all affected distributions, making it a highly portable post-exploitation tool — any attacker who has achieved even minimal access to a Linux system can immediately become root. Go and Rust implementations are already publicly available. Active exploitation confirmed within 24 hours of public disclosure.
ACTION:Patch Linux kernels to versions 6.18.22, 6.19.12, or 7.0 immediately across all endpoints, servers, cloud instances, and container hosts; Red Hat customers can apply configuration-level mitigations while patches are deployed.
PRODUCT: GitHub Enterprise Server
WHAT IT MEANS:
A critical remote code execution vulnerability in GitHub Enterprise Server can be triggered by a single malicious git push — no authentication required beyond repository access. An attacker with the ability to push to a repository on an affected GitHub Enterprise instance can execute arbitrary code on the underlying server. Given that GitHub Enterprise hosts source code, CI/CD pipelines, secrets, and deployment keys for the organizations running it, a successful exploit gives an attacker a direct path from repository access to full infrastructure compromise. The flaw was discovered by researchers and carries a CVSS score placing it among the most severe GitHub vulnerabilities disclosed to date.
ACTION:Apply the GitHub Enterprise Server security patch immediately and audit repository access logs for any anomalous push activity from unexpected sources or service accounts.
Threat Actor Activity
Exploratory probing of CVE-2026-41940 evolved into full multi-actor exploitation including ransomware deployment, Mirai botnet installation, and a separate nation-state campaign targeting government and military entities in Southeast Asia. Over 8,800 hosts confirmed encrypted with .sorry ransomware extension as of May 4.
A Silk Typhoon member was extradited to the United States to face charges related to attacks on COVID-19 research institutions and government agencies, marking a rare successful prosecution of a China-state-sponsored actor and demonstrating sustained DOJ focus on Chinese cyber operations.
Congressional scrutiny over carrier remediation claims continues with full eviction from US telecommunications infrastructure still unconfirmed by independent sources. The group's targeting of national security committee staff in January 2026 remains the most significant confirmed intrusion of the ongoing campaign.
No new confirmed activity. Pre-positioning within US critical infrastructure reported in prior periods remains unresolved. Continued operational silence is consistent with the group's established long-dwell access pattern.
Reduced operational tempo continues following prior law enforcement disruptions. No major confirmed incidents. Affiliate infrastructure remains active at lower volume.
| Actor | Status | Activity |
|---|---|---|
| Multiple threat actors exploiting cPanel | [ ESCALATING ] | Exploratory probing of CVE-2026-41940 evolved into full multi-actor exploitation including ransomware deployment, Mirai botnet installation, and a separate nation-state campaign targeting government and military entities in Southeast Asia. Over 8,800 hosts confirmed encrypted with .sorry ransomware extension as of May 4. |
| Silk Typhoon | [ ACTIVE ] | A Silk Typhoon member was extradited to the United States to face charges related to attacks on COVID-19 research institutions and government agencies, marking a rare successful prosecution of a China-state-sponsored actor and demonstrating sustained DOJ focus on Chinese cyber operations. |
| Salt Typhoon | [ ACTIVE ] | Congressional scrutiny over carrier remediation claims continues with full eviction from US telecommunications infrastructure still unconfirmed by independent sources. The group's targeting of national security committee staff in January 2026 remains the most significant confirmed intrusion of the ongoing campaign. |
| Volt Typhoon | [ MONITORING ] | No new confirmed activity. Pre-positioning within US critical infrastructure reported in prior periods remains unresolved. Continued operational silence is consistent with the group's established long-dwell access pattern. |
| LockBit | [ MONITORING ] | Reduced operational tempo continues following prior law enforcement disruptions. No major confirmed incidents. Affiliate infrastructure remains active at lower volume. |
Key Takeaway
This issue is dominated by two vulnerabilities that share a pattern defenders should internalize: both went from disclosure to active exploitation faster than most organizations can schedule a patch window. The cPanel authentication bypass was exploited for two months before a patch existed — a true zero-day that attackers had entirely to themselves — and within days of public disclosure it had escalated from probing to ransomware deployment across thousands of servers. The Linux Copy Fail vulnerability went from public proof-of-concept to confirmed exploitation in under 24 hours. Both flaws affect infrastructure that organizations consider foundational — the control panel managing their hosting environment, the operating system running their servers. If your organization is still operating on a monthly or quarterly patch cycle for critical infrastructure, these two vulnerabilities are the argument for changing that policy today, not at the next scheduled review.
Sources
- CISA Known Exploited Vulnerabilities Catalog
- Help Net Security
- The Hacker News
- Rapid7
- Cybersecurity Dive
- Security Boulevard
- Microsoft Defender Security Research Team