Multiple critical zero-day vulnerabilities affecting millions of systems came under active exploitation this week, with threat actors targeting cPanel hosting infrastructure, Linux kernels, and Android devices in what security researchers describe as an unprecedented wave of coordinated attacks.
cPanel Authentication Bypass Enables Mass Server Takeovers
A critical authentication bypass flaw in cPanel software products has triggered what researchers call an “exploit cyber-frenzy” affecting tens of thousands of web hosting instances. According to Dark Reading, CVE-2026-41940 received a critical CVSS score of 9.8 and allows attackers to gain administrative access to servers and hosted websites without authentication.
The vulnerability affects all supported versions of cPanel, WebHost Manager (WHM), and WP Squared products. WatchTowr Labs published a proof-of-concept exploit on April 29, describing the flaw as a “disaster” that enables complete server takeover.
KnownHost CEO Daniel Pearson confirmed on Reddit that the vulnerability had been exploited as a zero-day for “at least the last 30 days,” with attack attempts traced back to February 23. Internet scanning from Censys showed multiple threat actors began exploiting the flaw within 24 hours of public disclosure, demonstrating the compressed timeline security teams now face when patching critical vulnerabilities.
Linux ‘Copy Fail’ Vulnerability Grants Root Access
A decade-old Linux kernel vulnerability dubbed “Copy Fail” has entered active exploitation, with CISA adding CVE-2026-31431 to its Known Exploited Vulnerabilities catalog on Friday. According to SecurityWeek, the flaw affects all Linux distributions since 2017 and allows authenticated attackers to escalate privileges to root access.
The vulnerability impacts the kernel’s authencesn AEAD template, enabling attackers with code execution privileges to modify cache pages of readable setuid-root binaries. Microsoft reported observing “limited in-the-wild exploitation, mainly surrounding proof-of-concept testing,” but warned of the flaw’s broad applicability across cloud, CI/CD, and Kubernetes environments.
“Successful exploitation leads to full root privilege escalation and could facilitate container breakout, multi-tenant compromise, and lateral movement within shared environments,” Microsoft noted. The company emphasized the vulnerability’s reliability, stealth capabilities through in-memory-only modification, and cross-platform applicability make it particularly dangerous in environments where untrusted code execution is common.
Android Debug Bridge Flaw Enables Remote Code Execution
Google patched a critical Android vulnerability that allows remote code execution without user interaction. SecurityWeek reported that CVE-2026-0073 affects Android’s System component, specifically the Android Debug Bridge daemon (adbd) that manages communication between devices and computers.
The flaw enables attackers to execute code as the shell user without additional execution privileges, with no user interaction required for exploitation. Google has not indicated whether CVE-2026-0073 has been exploited in malicious attacks, though several Android vulnerabilities were exploited in the wild last year.
Google recently announced increased bug bounty payouts for Android device vulnerabilities, offering up to $1.5 million for zero-click Pixel Titan M exploits with persistence, reflecting the critical nature of mobile security flaws.
Supply Chain Attack Vector Through AI CLI Tools
A critical vulnerability in Google’s Gemini CLI tool could have enabled supply chain attacks through indirect prompt injection. According to Pillar Security, the flaw received a perfect CVSS score of 10/10 and existed because Gemini CLI in “yolo mode” would ignore tool allowlists, executing any command automatically.
Attackers could have exploited the vulnerability by creating public issues on Google GitHub repositories with hidden malicious prompts. The AI agent designed to triage user-submitted issues would execute the injected instructions, potentially extracting internal secrets and gaining write access to repositories.
“From those credentials, the attacker pivots to a token with full write access on the repository. Full supply-chain compromise,” Pillar Security explained. Google addressed the vulnerability on April 24 in Gemini CLI version 0.39.1, implementing proper tool allowlisting under yolo mode.
Palo Alto Firewall Zero-Day Links to Chinese State Actors
Palo Alto Networks disclosed exploitation of CVE-2026-0300, a zero-day vulnerability affecting PA and VM series firewalls that allows unauthenticated remote code execution with root privileges. SecurityWeek reported that a “likely state-sponsored” threat group tracked as CL-STA-1132 successfully exploited the flaw starting April 16.
The attackers conducted immediate log cleanup to avoid detection, clearing crash kernel messages and removing crash core dump files. Four days later, they deployed tools with root privileges and conducted Active Directory enumeration using the firewall’s service account credentials. The attack pattern bears hallmarks of Chinese state-sponsored hacking groups, though Palo Alto Networks has not directly attributed the campaign.
Patches are expected on May 13 and May 28, with the company providing interim mitigations and workarounds to prevent further exploitation.
What This Means
This week’s vulnerability disclosures highlight the compressed timeline between public disclosure and active exploitation, with threat actors weaponizing proof-of-concept code within hours. The diversity of affected platforms — from web hosting infrastructure to mobile devices and AI development tools — demonstrates how modern attack surfaces span every layer of the technology stack.
The emergence of supply chain attack vectors through AI tools represents a new frontier for security teams to monitor. As organizations increasingly integrate AI assistants into development workflows, the potential for prompt injection attacks to compromise entire repositories becomes a critical concern.
Security teams must prioritize emergency patching for these critical vulnerabilities while implementing defense-in-depth strategies that assume breach scenarios. The evidence of coordinated exploitation across multiple platforms suggests sophisticated threat actors are actively scanning for and weaponizing newly disclosed vulnerabilities at unprecedented speed.
FAQ
How quickly should organizations patch these critical vulnerabilities?
CISA has given federal agencies two weeks to patch the Linux Copy Fail vulnerability, while cPanel and Palo Alto patches should be applied immediately when available. The rapid exploitation timeline means organizations have days, not weeks, to respond.
What makes these vulnerabilities particularly dangerous?
All five vulnerabilities allow privilege escalation or remote code execution without user interaction. The cPanel flaw affects millions of websites, while the Linux vulnerability impacts nearly all modern distributions. The Android flaw requires no user interaction for exploitation.
Are these attacks coordinated or coincidental?
While no direct coordination has been proven, the timing and sophistication of exploitation across multiple platforms within the same week suggests organized threat actors are systematically targeting newly disclosed vulnerabilities. The Palo Alto attack shows clear state-sponsored characteristics.
Sources
- Exploit Cyber-Frenzy Threatens Millions via Critical cPanel Vulnerability – Dark Reading
- Exploitation of ‘Copy Fail’ Linux Vulnerability Begins – SecurityWeek
- Critical Remote Code Execution Vulnerability Patched in Android – SecurityWeek
- Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State Hacking – SecurityWeek
