A critical authentication bypass vulnerability in cPanel software has come under active exploitation from multiple threat actors, with evidence suggesting zero-day attacks occurred for at least 30 days before public disclosure. CVE-2026-41940, assigned a CVSS score of 9.8, affects millions of websites through tens of thousands of compromised cPanel instances.
cPanel issued a security update on April 28 to address the flaw affecting all supported versions of cPanel, WebHost Manager (WHM), and WP Squared products. The vulnerability was formally identified as CVE-2026-41940 on April 29, the same day WatchTowr Labs published a proof-of-concept exploit describing it as a “disaster” flaw that allows attackers to gain administrative access and take over servers.
Zero-Day Activity Confirmed
KnownHost, a managed cPanel hosting provider, flagged CVE-2026-41940 as a zero-day vulnerability after detecting attempted exploitation on approximately 30 servers. According to Reddit posts by KnownHost CEO Daniel Pearson, the vulnerability had been exploited “at least for the last 30 days,” with attack attempts traced back to February 23.
Internet scanning from Censys showed the cPanel flaw came under attack from multiple threat actors within 24 hours of public disclosure, demonstrating the rapid weaponization of high-impact vulnerabilities. The authentication bypass allows complete server takeover, giving attackers administrative control over hosting environments and the websites they contain.
Copy Fail Linux Kernel Exploit
Separately, threat actors are actively exploiting CVE-2026-31431, dubbed “Copy Fail,” a Linux kernel vulnerability that provides root shell access. CISA added the flaw to its Known Exploited Vulnerabilities catalog on Friday, requiring federal agencies to patch within two weeks.
The vulnerability, which lurked undetected for nearly a decade, affects all Linux distributions since 2017. According to Microsoft’s security analysis, Copy Fail impacts the kernel’s authentication AEAD template, allowing authenticated attackers with code execution privileges to modify cache pages of readable setuid-root binaries for privilege escalation.
Microsoft reported observing limited in-the-wild exploitation, primarily surrounding proof-of-concept testing. However, the company warns that successful exploitation leads to full root privilege escalation and could facilitate container breakout, multi-tenant compromise, and lateral movement in shared environments.
Android Critical RCE Patched
Google released an Android security update on Monday addressing CVE-2026-0073, a critical remote code execution vulnerability in Android’s System component. The flaw affects the Android Debug Bridge daemon (adbd), allowing attackers to execute code as the shell user without requiring additional execution privileges or user interaction.
Google’s security advisory confirms that adbd, the background process managing communication between Android devices and computers for debugging and shell access, contains the exploitable vulnerability. No patches were released this month for Wear OS, Pixel Watch, Android XR, or Android Automotive.
Google has not indicated whether CVE-2026-0073 has been exploited in malicious attacks. Only one Android vulnerability has been flagged as exploited in the wild this year, though several flaws were actively exploited in 2024.
AI Agent Security Flaws
Two separate vulnerabilities affecting AI agents highlight emerging attack vectors in AI-powered tools. A critical flaw in Gemini CLI received a CVSS score of 10.0 after Pillar Security discovered that the tool’s “yolo mode” ignored allowlists, enabling arbitrary command execution.
Attackers could exploit the vulnerability by injecting malicious prompts into GitHub issues on Google repositories. In yolo mode, all tool calls receive automatic approval, allowing attackers to extract internal secrets and potentially achieve full supply chain compromise. Google addressed the vulnerability on April 24 in Gemini CLI version 0.39.1.
Additionally, LayerX Security identified “ClaudeBleed,” a vulnerability in the Claude extension for Chrome that could allow AI agent takeover. The flaw combines lax permissions allowing any Chrome extension to run commands in Claude with poorly implemented trust verification, enabling remote prompt injection and control over the AI agent’s actions.
What This Means
The rapid exploitation of CVE-2026-41940 demonstrates how quickly threat actors weaponize critical vulnerabilities affecting widely-deployed software like cPanel. The 30-day zero-day exploitation window before disclosure highlights the importance of proactive security monitoring and rapid patch deployment.
The emergence of AI agent vulnerabilities like those affecting Gemini CLI and Claude represents a new attack surface requiring specialized security considerations. As AI tools integrate deeper into development workflows and enterprise environments, securing these systems becomes critical to preventing supply chain compromises.
The Copy Fail Linux kernel vulnerability’s decade-long presence underscores how fundamental system components can harbor critical flaws for extended periods. Its broad applicability across cloud, CI/CD, and Kubernetes environments makes it particularly dangerous for modern infrastructure.
FAQ
How can organizations protect against CVE-2026-41940?
Organizations using cPanel should immediately update to the latest version released April 28. Monitor server logs for suspicious administrative access attempts and consider implementing additional access controls for hosting management interfaces.
What makes Copy Fail particularly dangerous?
CVE-2026-31431 affects nearly all Linux distributions from the past decade, provides reliable root privilege escalation, operates entirely in memory, and can facilitate container breakouts in cloud environments where untrusted code execution is common.
Are AI agent vulnerabilities becoming more common?
As AI tools integrate into development workflows and enterprise systems, they present new attack surfaces. The Gemini CLI and Claude vulnerabilities demonstrate how AI agents can be manipulated through prompt injection and permission bypasses, requiring specialized security measures beyond traditional software protections.
Related news
- cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now – The Hacker News
