Cyber Intelligence Daily — May 04, 2026

Monday opens with a CVSS 10.0 in Apache Camel that needs exactly one UDP packet to own your server, a Linux kernel bug that Red Hat still hasn't patched five days into the CISA clock, and a cPanel flaw that has now graduated from "critical advisory" to actual ransomware victims with .sorry-encrypted files. None of it is novel — single-packet RCE, kernel LPE, hosting panel takeover — but the choreography is unusually tight: disclosure, public PoC, and operational exploitation are landing inside the same week, and patch coverage is still uneven across major distributions. If you defend Linux servers, integration middleware, or shared hosting, this is the week you don't want to be the slowest patcher in your peer group.

• CVE-2026-33453 — Apache Camel 4.14.0–4.14.5 and 4.18.0: patched in 4.18.1 and 4.19.0; working PoC public, CVSS 10.0. Single unauthenticated UDP packet to CoAP port 5683 yields remote code execution; HTTP-layer WAFs cannot see it.
• CVE-2026-31431 — Linux kernel algif_aead ("Copy Fail"): Debian, Ubuntu (older LTS), AlmaLinux, CloudLinux patched; Red Hat errata still pending; KEV-listed, CISA deadline May 15. 732-byte local privilege escalation works unmodified across distributions built since 2017.
• CVE-2026-41940 — WebPros cPanel & WHM: patched April 28, KEV deadline was May 3 (now passed), CVSS per KEV table. Mass-exploited in "Sorry" ransomware attacks against shared hosting.
• CVE-2024-1708 — ConnectWise ScreenConnect: patched, re-added to KEV with May 12 federal deadline. Path-traversal partner to the 2024 auth bypass; tied by Field Effect and Sophos to DragonForce ransomware activity.
• CVE-2025-48384 — Git CLI on Linux/macOS: patched in Git 2.43.7+, working PoC public. Malicious repository plus git clone --recursive writes auto-executing hooks to a developer's machine.
• CVE-2025-69985 — FUXA SCADA/HMI ≤1.2.8: patched in 1.2.11, fully weaponized PoC on Exploit-DB. Auth bypass via Referer header into /api/runscript yields unauthenticated Node.js RCE on industrial control dashboards.
• Apache Tomcat CVE-2025-24813 PoC — automated exploit script updated within the past 24 hours; deserialization-based RCE against vulnerable Tomcat instances.

If your organization runs Apache Camel — the integration framework wiring together enterprise apps, IoT devices, and cloud services at thousands of companies — this should interrupt your Monday.

CVE-2026-33453 sits in the camel-coap component, which speaks CoAP (Constrained Application Protocol — a lightweight UDP-based messaging standard popular in IoT and industrial systems). Per IONIX's analysis of the Apache advisory, the component maps incoming CoAP query parameters directly into Camel Exchange message headers with no filtering, letting an unauthenticated attacker inject arbitrary internal headers that downstream components like camel-exec, camel-sql, and camel-bean will happily honor. The result, per Feedly's CVE entry, is single-packet pre-auth remote code execution.

The exploitation bar is almost nonexistent: one unauthenticated UDP datagram to port 5683. CoAP has no built-in authentication, DTLS is optional and off by default, and because the traffic is UDP, the HTTP-aware WAFs and IDS rules sitting in front of your stack don't see it. CVSS 10.0. PoC exists. Affected: 4.14.0 through 4.14.5 and 4.18.0; the fix is upgrading to 4.18.1 or 4.19.0; if you can't patch today, block UDP/5683 at the perimeter as a stopgap.

What changes if this gets exploited at scale: Camel is connective tissue, not a product users see. A compromised Camel instance is often a path into payment systems, claims processing, or industrial telemetry pipelines that nobody else has visibility into. The signal to watch is GreyNoise and Shodan over the next 72 hours — once a CVSS 10.0 PoC circulates, mass-scanning against the affected port typically arrives before the second weekend.

The Copy Fail saga has been running a week, but there's a development today that changes the math for anyone on Red Hat Enterprise Linux, Rocky, or older Ubuntu releases.

Per Microsoft's Security Blog post on May 1, the company is actively investigating CVE-2026-31431 — a high-severity local privilege escalation in the Linux kernel's algif_aead crypto interface affecting Red Hat, SUSE, Ubuntu, and AWS Linux, hitting a meaningful share of cloud Linux workloads and Kubernetes clusters. The exploit is a 732-byte script. No race condition. No version-specific tuning. It just works.

Patch status as of this morning: Debian shipped. Ubuntu's older LTS releases shipped. AlmaLinux shipped May 1. CloudLinux has live patches rolling per its engineering blog. Red Hat's official errata is still pending. If you're on RHEL waiting for the official channel, you're still exposed — and the modprobe-based workaround circulating on oss-security does not work on RHEL-family systems, because algif_aead is built into the kernel rather than loaded as a module. CloudLinux's advisory is explicit: the commands run without errors but leave the system unchanged, which is worse than not running them at all.

Microsoft says it is observing preliminary testing activity that may presage broader exploitation in the coming days. CISA's federal remediation deadline is May 15. If that errata doesn't arrive in the next several days, watch for federal CIOs to start escalating in public — that's the signal that the gap between "Linux distribution promises" and "Linux distribution delivery" has finally become a procurement-level question.

If your company hosts websites, customer portals, or email on cPanel, the weekend got worse.

BleepingComputer reported on May 2 that attackers are mass-exploiting CVE-2026-41940 — an authentication bypass in WebPros cPanel & WHM — and pairing it with "Sorry" ransomware that leaves files renamed with a .sorry extension. cPanel's own advisory describes the affected versions and shipped fixed builds on April 28, with explicit "update immediately" language. By May 1 and 2, customers on cPanel's support forums were posting about encrypted files, rogue root-level accounts, and exposed management ports (2083, 2087, 2095, 2096) being the entry vector.

The CISA KEV deadline for federal agencies on this one was May 3 — already behind us. What changes if exploitation broadens: shared hosting compromises don't stop at one site. A single cPanel takeover hands over hundreds or thousands of customer websites at once, plus the email infrastructure routed through them. Watch hosting providers' status pages this week. If a second-tier hosting brand goes quiet, that's usually the tell.

FUXA is an open-source web-based SCADA/HMI platform — the software sitting between an operator's screen and physical equipment in factories, water plants, and energy facilities. Per Intruder's CVE tracker, CVE-2025-69985 is an authentication bypass in versions 1.2.8 and prior: the JWT-helper middleware trusts the HTTP Referer header for validating internal requests, letting an unauthenticated attacker reach the protected /api/runscript endpoint and execute arbitrary Node.js code on the server.

What landed on Exploit-DB this weekend converts theory into operations: the published exploit achieves full remote command execution with stdout capture — no reverse shell required. Per DailyCVE's writeup of the broader FUXA vulnerability cluster, successful exploitation provides a foothold into ICS environments, with the obvious downstream possibility of manipulating physical processes that the dashboard monitors. Patched in 1.2.11.

The historical signal here is that the gap between "public PoC posted to Exploit-DB" and "active scanning of internet-exposed HMI dashboards" is short — measured in days, not weeks. If you operate FUXA in any OT environment and it's reachable from outside your control network, that's the first call this morning. If it's reachable from outside anything, that's the call you should have made last week.

Russian specialist outlet Xakep published an extensive chronicle this morning of Russia's renewed attempt to throttle Telegram, framing it as a sequel to the 2018 episode that collapsed under its own collateral damage. The piece documents how users are circumventing current restrictions at scale — VPN downloads through the Russian Google Play store have grown roughly 14-fold by Xakep's reading — and notes Cloudflare classifying the domain associated with Max, Moscow's domestic messenger alternative, as spyware. The security-relevant edge: the same circumvention tooling Russian users are now installing en masse is what threat actors use to mask command-and-control traffic, and the infrastructure supporting it is scaling in the open. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep reports that the supply-chain compromise at security scanner vendor Checkmarx — partially disclosed in March — extended further than the original incident notice acknowledged, with attackers exfiltrating data from private GitHub repositories rather than only poisoning developer-facing tooling. For customers running Checkmarx in their software development lifecycle, this widens the trust question from "did we ingest a malicious update?" to "what did our scanner know about our code, and where is that knowledge now?" Western coverage of the original supply-chain incident has not yet absorbed this expansion. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

A 732-byte script that owns every Linux server built since the Trump administration's first term, a single UDP packet that walks past your firewall whistling, and a SCADA dashboard that takes orders from anyone who knows how to forge a Referer header. Somewhere in Raleigh, a Red Hat release engineer is staring at a Jira ticket while the CISA clock ticks and a Russian support analyst's stolen laptop is teaching Microsoft Defender that DigiCert is the enemy. Patch what you can; document what you can't.

Forward this to whoever's on call tonight — they'll want the cPanel detail before their pager finds them.