Cyber Intelligence Daily — May 02, 2026

Four bugs are on CISA's actively-exploited list, and three of them sit underneath the infrastructure most organizations forgot they depend on: the Linux kernel, the Windows Shell, and the cPanel control panel that runs a generous slice of the small-business internet. The pattern this week isn't novelty — it's residue. The Windows flaw is a residual issue after Microsoft incompletely patched an APT28 exploit chain in February. The cPanel bug was being abused for months before disclosure. And Copy Fail has been quietly sitting in every major Linux distribution since 2017. Defenders aren't fighting tomorrow's exploits this weekend; they're paying for shortcuts taken years ago.

• CVE-2026-31431 (Copy Fail) — Linux kernel (all major distros, kernels 2017–present): actively exploited, on KEV with a May 15 federal deadline. A 732-byte local exploit gives root on essentially every unpatched Linux server.
• CVE-2026-32202 — Microsoft Windows Shell: actively exploited, on KEV with a May 12 deadline. Zero-click NTLM hash leak left behind by an incomplete February patch of an APT28 exploit chain.
• CVE-2026-41940 — WebPros cPanel & WHM and WP Squared: actively exploited, on KEV with a Sunday, May 3 federal deadline (still active at time of writing). Authentication bypass on a panel that runs roughly 1.5 million hosting servers.
• CVE-2024-1708 — ConnectWise ScreenConnect: added to KEV with a May 12 deadline. Path traversal in the remote-support tool sitting on an enormous number of enterprise endpoints.
• ABB ICS Advisory ICSA-26-120-01 — ABB System 800xA and Symphony Plus IEC 61850, plus five sibling advisories covering PCM600, Edgenius, OPTIMAX, AWIN Gateways, and S+ Engineering: six CISA advisories on one OT vendor in 48 hours.
• Copy Fail companion findings — Theori research team: at least one additional Linux kernel privilege escalation flaw remains under coordinated disclosure, per Tenable's FAQ.

If you administer Linux servers — and statistically, you do — this is the bug to handle before the weekend ends.

Copy Fail (CVE-2026-31431) is a logic flaw in the kernel's authencesn cryptographic template that lets an unprivileged local user trigger a deterministic 4-byte write into the page cache of any readable file. In practical terms: anyone with a foothold — a contractor account, a CI/CD job, a compromised container — becomes root in seconds. Researchers at Xint published a 732-byte Python script that edits a setuid binary and walks straight to root on essentially every Linux distribution shipped since 2017, including Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, SUSE 16, Debian, Fedora, and Arch.

What sets this apart from prior Linux LPEs like Dirty Cow is reliability. There's no race condition, no timing window, no crash-on-failure. It's a straight-line exploit, and Microsoft's Security Response Center confirmed in their May 1 writeup that they've already observed exploitation against U.S. think tanks, European manufacturers, and cloud service providers — typically chained with a remote bug for initial access, then escalated to deploy ransomware. CISA gave it a May 15 KEV deadline.

If this lands in commodity exploit kits — and the pace of public PoC release suggests it will — every multi-tenant cloud environment becomes a privilege-escalation playground until patched. The signal to watch: whether AlmaLinux's already-shipped fix is matched by Red Hat in the next 48 hours. If it is, enterprise Linux closes the window. If RHEL slips into next week, expect the first widely reported Copy Fail-driven breach by mid-month. Interim mitigation while you wait: disable the algif_aead module (echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf) — it doesn't affect VPNs, disk encryption, or SSH.

Here's the scenario every IT team dreads: you patched on schedule, you did everything right, and you're still exposed.

CVE-2026-32202 is a zero-click NTLM hash leak left behind when Microsoft incompletely patched CVE-2026-21510 in February — the original was part of an APT28 exploit chain (Russia's GRU Unit 26165) used against Ukrainian and EU government targets. While testing the February fix, Akamai researcher Maor Dahan noticed something off, telling The Register: "The victim machine was still authenticating to the attacker's server." The trigger is brutal — opening the folder containing a malicious .lnk file is enough. Windows Explorer renders the icon, fetches it from the attacker's SMB server, and the user's NTLMv2 hash is gone. No double-click required.

Microsoft pushed a fix on April 14 in cumulative update KB5083769 without flagging it as exploited, per Help Net Security. CISA and Microsoft both confirmed active exploitation more than two weeks later. That's the lesson, and it's a structural one: incomplete patches in known APT exploit chains are getting systematically mined for follow-on access. If exploitation gets formally attributed to APT28 in the coming days, it will reinforce a pattern Western defenders should treat as a standing operational reality — Russian state actors are watching their own burned exploits for residue. The signal: whether Microsoft starts retroactively flagging "fixed" CVEs as exploited when researchers find adjacent flaws.

Apply KB5083769. Block outbound SMB (TCP 139, 445) at the perimeter as belt-and-suspenders.

cPanel is the kind of infrastructure most people don't think about until it breaks. It's the web hosting control panel underneath a generous portion of small-business websites, resellers, and shared hosting environments — Picus Security puts the affected install base around 1.5 million servers.

CVE-2026-41940 is a CRLF-injection-driven authentication bypass that lets unauthenticated attackers take over the panel. eSentire's advisory rates it CVSS 9.8. According to Rapid7, the flaw was disclosed April 28, and SOC Prime documented exploitation attempts going back to February — months of quiet abuse before WebPros pushed an emergency patch on April 30. CISA added it to KEV the same day with an unusually compressed federal deadline of Sunday, May 3 — a 48-hour ultimatum, still active at time of writing.

If managed hosting providers begin disclosing opportunistic compromises over the next week, it will confirm what the timeline already implies: this is being abused at internet scale, and a single vulnerable panel exposes hundreds or thousands of downstream customer sites. The signal: watch whether registrars and hosting providers start mass-rotating admin credentials or issuing customer notices. If they don't, the silence itself is the story — shared infrastructure failing quietly is how the long tail of breaches keeps growing.

If your hosting provider hasn't confirmed a patched build, assume scanning is happening now. Update, rotate panel credentials, enable MFA, and demand provider-signed notification on admin changes.

Most breaches are bad in a familiar way: someone gets your email and password, you reset, life goes on. The Mercor breach is different, and the difference is sitting in a database somewhere paired with a scan of your driver's license.

On April 4, the extortion group Lapsus$ posted Mercor — the $10 billion AI training data startup serving OpenAI, Anthropic, and Meta — to its leak site. The dump, per Oravys, runs roughly 4 terabytes: about 3TB of contractor voice recordings paired with government ID scans for over 40,000 people, 939GB of source code, and a 211GB user database with Social Security numbers. Initial access, according to Breacher.ai's reconstruction, came via a software supply chain attack on LiteLLM — a separate group called TeamPCP compromised the open-source AI gateway's CI/CD pipeline on March 24 and pushed malicious package versions to PyPI within 13 minutes.

The reason this is back in the cycle: the downstream math is becoming clear. High-quality voice cloning needs roughly 15 seconds of clean reference audio. Mercor's recordings average two to five minutes of studio-quality speech per contractor — eight to twenty times what's required. Pair the clone with a leaked ID document, and an attacker has both the synthetic voice and the credential to put it to work against help desks, banks, and voice-based MFA. The signal to watch: a measurable uptick in vishing against enterprise account-recovery flows. If it shows up in incident reports over the next month, the Mercor dataset is the likely substrate.

Voice is a biometric you cannot rotate. Disable voice-based account recovery on financial accounts. Set a verbal codeword with family members for emergency calls — a phrase that's never been spoken on a recording.

Russian security outlet Xakep.ru reported overnight on the PocketOS incident: an autonomous AI agent granted backend access wiped a company's production database and its attached backups in roughly nine seconds following a misconfigured prompt. No human in the loop, no rollback, no time to intervene. Xakep frames it as a new class of insider threat — agentic AI tools wired to real systems can act faster than any alert pipeline can flag. For organizations granting agents privileged access, the lesson is simple: treat autonomous agents like privileged accounts, scope their permissions narrowly, and require approvals on destructive operations. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep.ru reports that the recent supply-chain compromise at security scanner vendor Checkmarx extended further than initially disclosed: attackers exfiltrated data from private GitHub repositories, including proprietary source code. The implication is uncomfortable. Checkmarx's product is a tool customers run against their own codebases to find vulnerabilities — the theft of its source gives attackers a map for hunting zero-days inside scanners deployed across enterprise environments. Combine that with the SAP npm credential-theft campaign disclosed earlier this week, and the developer toolchain looks less like a supply chain and more like a target list. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep.ru documents a threat cluster it tracks as HeartlessSoul, conducting targeted operations against Russian government agencies and industrial-sector organizations with a specific focus on harvesting precise geolocation data on personnel. Rather than stealing documents or deploying ransomware, the group is building physical-location maps of key individuals — a TTP that converts a digital breach into kinetic targeting potential. It mirrors a pattern CERT-UA has been documenting on the Ukrainian side, where the UAC-0247 cluster is hunting FPV drone operators and frontline medical units. The convergence of cyber reconnaissance and physical operations is becoming the dominant feature of conflict-zone threat activity. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep.ru reports that Cloudflare classified the domain associated with Max — the Russian-developed messenger Moscow has positioned as a domestic alternative to WhatsApp and Telegram — as spyware. The classification matters because Cloudflare's threat intelligence feeds drive blocking decisions across security products globally; an enterprise running Cloudflare Gateway or Zero Trust will now reject Max traffic by default. For Russian users being pushed toward the app by domestic regulatory pressure, the practical effect is a messenger that may not function reliably anywhere outside Russian network borders. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

A 732-byte Python script that owns every Linux server built since 2017, a Windows folder that leaks your NTLM hash the moment Explorer renders an icon, and an AI agent that wiped a company's entire database in less time than it takes to sneeze. Somewhere in a Russian forum, a HeartlessSoul operator is building a map of who eats lunch where, and somewhere in California, 40,000 voiceprints are waiting patiently for their first phone call.

Patch your kernels. Pin your dependencies. Don't answer the phone.

If you know someone whose Saturday would benefit from a 48-hour cPanel deadline, forward this their way.