Multiple critical vulnerabilities disclosed in late April and early May 2026 have come under active exploitation, with threat actors targeting millions of servers through cPanel authentication bypass flaws, Linux privilege escalation bugs, and Palo Alto Networks firewall zero-days.
cPanel Vulnerability Triggers Mass Exploitation
A critical authentication bypass vulnerability in cPanel software products has sparked widespread exploitation just hours after public disclosure. CVE-2026-41940, assigned a CVSS score of 9.8, affects all supported versions of cPanel, WebHost Manager (WHM), and WP Squared products.
The vulnerability allows attackers to gain administrative access and take over servers hosting websites. According to Dark Reading, WatchTowr Labs published a proof-of-concept exploit on April 29, describing the flaw as a “disaster” vulnerability.
KnownHost CEO Daniel Pearson confirmed on Reddit that the vulnerability had been exploited as a zero-day for “at least the last 30 days,” with attack attempts dating back to February 23. Internet scanning from Censys showed multiple threat actors began targeting the flaw within 24 hours of public disclosure, affecting tens of thousands of cPanel instances worldwide.
Linux ‘Copy Fail’ Bug Enables Root Access
CVE-2026-31431, dubbed “Copy Fail,” represents a decade-old Linux kernel vulnerability that allows authenticated attackers to escalate privileges to root access. The flaw affects all Linux distributions since 2017, impacting the kernel’s authentication AEAD template.
CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on Friday, ordering federal agencies to patch within two weeks. Microsoft reported limited in-the-wild exploitation, primarily involving proof-of-concept testing, but warned of the vulnerability’s broad applicability.
The vulnerability enables any local, unprivileged user to achieve root shell access through in-memory-only modifications. According to Microsoft, successful exploitation “leads to full root privilege escalation” and “could facilitate container breakout, multi-tenant compromise, and lateral movement within shared environments.”
Android Debug Bridge Flaw Patched
Google patched CVE-2026-0073, a critical remote code execution vulnerability in Android’s System component that affects the Android Debug Bridge daemon (adbd). The flaw allows attackers to execute code as the shell user without requiring additional execution privileges or user interaction.
The vulnerability impacts adbd, a background process managing communication between Android devices and computers for debugging and shell access. Google’s security advisory indicates no evidence of malicious exploitation, though the company significantly increased Android bug bounty payouts to $1.5 million for zero-click Pixel Titan M exploits.
Previous Android Exploits
Several Android vulnerabilities were exploited in attacks throughout 2024 and 2025, including CVE-2024-43093, CVE-2024-50302, CVE‑2025‑27038, CVE-2025-48543, and CVE-2025-38352, highlighting the platform’s continued targeting by threat actors.
Gemini CLI Supply Chain Risk Addressed
A critical vulnerability in Google’s Gemini CLI tool received a perfect CVSS score of 10.0 but no CVE identifier. According to Pillar Security, the flaw existed because Gemini CLI in “yolo mode” ignored tool allowlists, enabling execution of any command.
Attackers could exploit the vulnerability by creating public GitHub issues containing malicious prompts. In yolo mode, the AI agent would automatically approve all tool calls, allowing attackers to extract internal secrets and gain full repository write access. Pillar Security noted that “at least eight other Google repositories had the same vulnerable workflow template deployed.”
Google addressed the vulnerability on April 24 in Gemini CLI version 0.39.1, implementing proper tool allowlisting evaluation under yolo mode and updating the run-gemini-cli GitHub Action.
Palo Alto Zero-Day Links to Chinese APT
Palo Alto Networks disclosed CVE-2026-0300, a zero-day vulnerability affecting User-ID Authentication Portal of PA and VM series firewalls. The flaw enables unauthenticated remote code execution with root privileges and has been actively exploited by threat actors.
According to Palo Alto Networks, a “likely state-sponsored” threat group tracked as CL-STA-1132 first attempted exploitation on April 9, achieving successful remote code execution one week later. The attackers conducted immediate log cleanup, deployed tools with root privileges, and performed Active Directory enumeration using firewall service account credentials.
The attack campaign deployed open-source tools including Earthworm and ReverseSocks5 for network tunneling and persistence. Patches are scheduled for release on May 13 and May 28, with interim mitigations and workarounds available to prevent exploitation.
What This Means
The simultaneous disclosure and exploitation of multiple critical vulnerabilities across major platforms demonstrates the compressed timeline between vulnerability disclosure and active exploitation. The cPanel vulnerability’s month-long zero-day exploitation period before public disclosure highlights the challenge of detecting sophisticated attacks against widely-deployed infrastructure.
The Linux Copy Fail vulnerability’s decade-long presence in kernel code underscores the difficulty of identifying subtle privilege escalation flaws in complex codebases. Its reliability and stealth characteristics make it particularly dangerous in cloud and container environments where privilege boundaries are critical security controls.
The Gemini CLI supply chain vulnerability illustrates emerging risks in AI-powered development tools, where prompt injection attacks can bypass security controls and compromise entire software repositories. Organizations using AI agents in CI/CD pipelines should implement strict tool allowlisting and input validation.
FAQ
How quickly should organizations patch these vulnerabilities?
CISA requires federal agencies to patch CVE-2026-31431 within two weeks, while cPanel users should apply updates immediately given active exploitation. Android users should install security updates as soon as available through their device manufacturers.
Are these vulnerabilities being exploited by ransomware groups?
Current reporting indicates state-sponsored actors and opportunistic attackers rather than ransomware operators, though the cPanel vulnerability’s widespread exploitation suggests multiple threat actor types may be involved.
What immediate mitigations exist for unpatched systems?
Palo Alto Networks has published specific mitigations for CVE-2026-0300, while cPanel users should implement access controls and monitoring. Linux administrators should monitor for unusual privilege escalation attempts and restrict local user access where possible.
