CVE Insights: Critical Vulnerabilities to Patch This Week (May 6, 2026)

By ScruteX Team Published 5 days ago Updated 5 days ago

Three CISA KEV deadlines hit this week and one passed last Sunday with telemetry showing no slowdown in exploitation. The cPanel authentication bypass (CVE-2026-41940) disclosed on April 28 is the most consequential vulnerability defenders are still working through. Mass scanning began within 24 hours of the patch. By April 30, Shadowserver tracked 44,000 unique IPs probing exposed cPanel honeypots. Confirmed government targeting in the Philippines and Laos followed on May 2. The federal deadline expired May 3. Active exploitation continues.

In the same eight-day window, Theori disclosed CVE-2026-31431, the Linux kernel "Copy Fail" privilege escalation. A 732-byte Python script gives root on every mainstream Linux distribution shipped since 2017. CISA added it to KEV on May 1. SAP's npm supply chain took a hit from a worm called Mini Shai-Hulud on April 29. And the Windows Shell and ConnectWise CVEs added to KEV alongside cPanel are six days from federal remediation deadline.

This week's CVE Radar covers the seven vulnerabilities and one supply chain breach that need attention before May 12. We have prioritized by exploitation status, not CVSS score.

Patch Priority Snapshot

Rank	CVE	Product	CVSS	Status	Deadline
1	CVE-2026-41940	cPanel & WHM	9.8	KEV, mass-exploited	May 3 (passed)
2	CVE-2026-31431	Linux Kernel (Copy Fail)	7.8	KEV (May 1), public PoC	May 15
3	CVE-2026-32202	Windows Shell	4.3	KEV, APT28 chaining	May 12
4	CVE-2024-1708	ConnectWise ScreenConnect	8.4	KEV, Storm-1175 + Medusa	May 12
5	CVE-2026-33824	Windows IKE Service	9.8	Critical, no public PoC yet	None
6	CVE-2026-32201	SharePoint Server	6.5	KEV (Apr 14), ongoing exploitation	Apr 28 (passed)
7	CVE-2026-27681	SAP BPC / BW	9.9	High, no confirmed exploitation	None
Bonus	Mini Shai-Hulud	SAP CAP npm packages	N/A	Active supply chain breach	N/A

CVE-2026-41940: cPanel Mass Exploitation Is Now the Story

Severity: CVSS 9.8 (Critical). Pre-authentication, network-reachable. CISA KEV since April 28. Federal deadline May 3, now passed.

The cPanel authentication bypass disclosed on April 28 has moved from "expected mass exploitation" to confirmed mass exploitation in a week. The flaw is a Carriage Return Line Feed (CRLF) injection in the cpsrvd login flow. An unauthenticated attacker manipulates the whostmgrsession cookie and injects raw \r\n characters into a Basic authorization header, writing attacker-controlled session entries (user=root, hasroot=1, tfa_verified=1) to the pre-authentication session file. The system reloads the file and treats the session as fully authenticated root. Four HTTP requests, zero credentials.

What changed in the past eight days:

April 29: watchTowr Labs published the technical writeup and Detection Artifact Generator. Hadrian published a Nuclei template the same day.
April 30: Shadowserver tracked 44,000 unique IPs scanning, exploiting, or brute-forcing exposed cPanel honeypots. Around 650,000 IPs visible as exposed cPanel/WHM instances.
May 2: Ctrl-Alt-Intel observed targeted exploitation from IP 95.111.250[.]175 against Philippine government and military domains (*.mil.ph, *.ph) and Laotian government domains (*.gov.la), as well as MSPs and hosting providers.
May 3: FCEB remediation deadline expired. Active scanning dropped to ~3,540 IPs but did not stop.
May 6 (today): Active exploitation continues. Assume any internet-exposed cPanel server that was unpatched on April 29 was probed.

KnownHost data places initial in-the-wild exploitation at February 23, 2026. Two months of zero-day before the patch existed. Affected versions: all cPanel and WHM releases after v11.40, plus WP Squared v136.1.7 and earlier. Roughly 1.5 million instances exposed on the public internet per Shodan.

Defender actions (in priority order):

Verify patch status now. Run /usr/local/cpanel/cpanel -V on every cPanel host. If you use a hosting provider, demand build number confirmation in writing today. Trust nothing verbal.
Run cPanel's official detection script. cPanel released an updated detection script on May 3 that removes false positives from the April 28 version. Use the latest one. Pair it with the watchTowr Detection Artifact Generator and Hadrian's Nuclei template for cross-validation.
Inspect session files manually. Look in /var/cpanel/sessions/raw/ for pre-auth session files containing user=root, hasroot=1, tfa_verified=1, successful_internal_auth_with_timestamp, or multiple pass= lines. Any of these is a confirmed exploitation indicator.
Audit cpsrvd access logs back to February 23, 2026. The signature is HTTP 401 responses on /login/?login_only=1 immediately followed by Authorization: Basic requests on non-/login URLs from the same source IP. If your retention does not go back to February, audit as far as you have.
Check for persistence. Audit WHM for unexpected user accounts, SSH keys, and cron jobs. Verify no unauthorized modifications to /etc/, /usr/local/cpanel/, or root's ~/.bashrc and authorized_keys.
Treat any compromise indicator as an active incident. Two months of zero-day exploitation plus eight days of mass scanning means assumed breach is the correct posture for any internet-exposed cPanel host that was unpatched on April 29.

MITRE ATT&CK mapping: T1190 (Exploit Public-Facing Application), T1078.003 (Valid Accounts: Local Accounts), T1098.004 (Account Manipulation: SSH Authorized Keys), T1505.003 (Web Shell, where attackers maintain access).

CVE-2026-31431 "Copy Fail": Every Linux Distribution Since 2017

Severity: CVSS 7.8 (High). Local privilege escalation. Added to CISA KEV May 1, 2026. Federal deadline May 15.

Theori disclosed Copy Fail on April 29. The headline number is the exploit size: 732 bytes of Python that gives any unprivileged local user root on Ubuntu, Amazon Linux, RHEL, SUSE, Debian, Fedora, AlmaLinux, and Arch. The bug is a logic flaw in the kernel's authencesn cryptographic template, chained through AF_ALG socket and splice() system call interaction. The result is a deterministic 4-byte write into the page cache of any readable file, which lets an attacker corrupt the in-memory representation of /usr/bin/su or any other privileged binary without touching disk.

The flaw was introduced in 2017 via commit 72548b093ee3, which switched AEAD operations to in-place processing. Every Linux kernel from 4.14 onward is vulnerable until patched. Fixes are in kernel versions 6.18.22, 6.19.12, and 7.0.

Why this is different from Dirty Cow and Dirty Pipe:

No race condition. Deterministic, succeeds every time.
No per-distro tuning. Same exploit script works on every tested distribution.
No compiled payload. Pure Python standard library.
No disk artifacts. Modification lives only in the page cache, reverts on cache eviction or reboot.
Container escape primitive. The page cache is shared between containers and host on systems where algif_aead is loaded.

This makes Copy Fail the rare class of Linux LPE that brokers historically priced at $500K+ on the gray market. Theori found it using Xint Code, their AI-assisted vulnerability scanner, in roughly one hour of scan time. That detail matters as much as the bug itself.

Defender actions:

Patch the kernel. Distribution-specific updates: AlmaLinux, Ubuntu, Amazon Linux, SUSE, Debian, and Fedora have shipped patched kernels. RHEL was still pending as of May 4. Reboot required.
If patching is delayed, disable algif_aead. Run echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf and rmmod algif_aead 2>/dev/null || true. This does not affect dm-crypt, kTLS, IPsec, OpenSSL, GnuTLS, NSS, or SSH. It may affect applications that explicitly use the afalg engine. Verify with lsof | grep AF_ALG.
Prioritize Kubernetes nodes and CI/CD runners that execute untrusted code. These are the highest-blast-radius targets.
Detection. Sysdig published a Falco rule for AF_ALG SOCK_SEQPACKET socket creation by unexpected processes. Microsoft Defender XDR has signatures live. If you operate auditd, log socket creation events with type AF_ALG and SOCK_SEQPACKET for the next 30 days.

MITRE ATT&CK mapping: T1068 (Exploitation for Privilege Escalation), T1611 (Escape to Host, in container scenarios).

CVE-2026-32202: The Windows Shell Spoofing Flaw APT28 Is Chaining

Severity: CVSS 4.3 (Important). On CISA KEV since April 28. Federal deadline May 12 (six days from today).

CVE-2026-32202 is a protection mechanism failure in Microsoft Windows Shell, and it is an incomplete patch of CVE-2026-21510, the zero-day APT28 (Russian state-aligned, also tracked as Fancy Bear) used against Ukrainian and EU targets starting December 2025. Akamai confirmed the patch incompleteness in late April. A proof-of-concept landed on April 16, and by April 21, defenders observed the vulnerability inside a multi-stage intrusion chain ending in BeigeBurrow tunneling implant deployment.

Microsoft revised the advisory on April 27 to confirm active exploitation. CISA followed within 24 hours. The CVSS score is misleading. Treat this as a confirmed APT vector, not an "Important" rated bug.

Action: Apply the April 14 cumulative update for Windows Shell. Hunt for BeigeBurrow indicators. Block outbound connections from user workstations to non-business proxy infrastructure. Six days remain on the federal deadline.

CVE-2024-1708: ConnectWise ScreenConnect, Two Years Later

Severity: CVSS 8.4 (High). On CISA KEV since April 28. Federal deadline May 12.

A path traversal vulnerability in ConnectWise ScreenConnect, fixed in version 23.9.8 in February 2024. Microsoft attributed the recent exploitation wave to Storm-1175, a China-based threat actor deploying Medusa ransomware. The technique pairs CVE-2024-1708 with CVE-2024-1709 (CVSS 10.0, authentication bypass), giving attackers RCE on unpatched ScreenConnect instances.

If you run ScreenConnect older than 23.9.8 on internet-facing infrastructure, assume Storm-1175 has already mapped you. Rotate credentials and treat the host as compromised until proven otherwise.

Underground context: Initial access broker listings advertising "ScreenConnect access" rose 38 percent in the seven days after Microsoft's Storm-1175 attribution. Listing prices range from $400 to $2,800 depending on downstream MSP customer base size.

Action: Verify ScreenConnect version. Audit MSP relationships for ScreenConnect exposure outside your direct control.

Supply Chain Watch: Mini Shai-Hulud Hits SAP CAP npm Packages

Disclosed: April 29, 2026. Not a CVE. Active malware campaign against the SAP developer ecosystem.

Between 09:55 and 12:14 UTC on April 29, threat actor TeamPCP published malicious versions of four official SAP npm packages: mbt@1.2.48, @cap-js/db-service@2.10.1, @cap-js/postgres@2.2.2, and @cap-js/sqlite@2.2.2. Combined weekly downloads: 500,000+. Window of exposure: roughly two to four hours.

The poisoned packages contain a preinstall hook that fetches a Bun runtime, then executes a credential stealer that targets:

GitHub tokens and personal access tokens
npm credentials
GitHub Actions secrets
AWS, Azure, and GCP credentials
Kubernetes tokens
SSH keys, Claude Code config, MCP config

Stolen secrets are encrypted and exfiltrated to public GitHub repositories created on the victim's own account, each with the description "A Mini Shai-Hulud has Appeared." Within hours, more than 1,800 victim repositories were visible. The malware self-propagates through GitHub Actions workflows.

Why this matters for SAP shops specifically: mbt is the Cloud MTA Build Tool used in SAP build pipelines. Stolen build-time tokens grant access to SAP BTP subaccounts, Cloud Foundry orgs, transport routes, and HANA service keys. CAP is the mainstream framework for custom BTP development. A successful preinstall on a CAP developer's machine yields cloud secrets and source code access for ERP-adjacent systems.

Defender actions:

Audit for compromised package versions in any CI/CD logs, lockfiles, or developer machines between April 29 09:55 UTC and April 29 12:14 UTC.
Rotate all secrets if exposure is confirmed: SSH keys, GitHub and npm tokens, cloud credentials, Claude Code config, MCP config.
Delete malicious GitHub repositories the malware created on victim accounts.
Pin exact npm versions going forward. SAP has explicitly recommended this. Floating ranges (^, ~) turned a two-hour window into a 1,800-victim campaign.
Harden npm OIDC trusted publishers. The initial pipeline compromise exploited an OIDC trusted-publisher rule scoped to an entire repository instead of a specific workflow on a protected branch.

SAP released Security Note 3747787 on April 30 acknowledging the affected packages.

CVE-2026-33824 and CVE-2026-32201: Microsoft Critical RCEs Still in Play

CVE-2026-33824 (Windows IKE Service, CVSS 9.8). Pre-authentication remote code execution via crafted UDP packets to ports 500 or 4500 on systems with IKE version 2 enabled. No public exploit yet. Race conditions like the related CVE-2026-33827 (Windows TCP/IP, wormable on IPv6 + IPSec) have been weaponized at Pwn2Own and turned into reliable exploits within weeks. Action: Apply the April 14 cumulative update on all Windows servers. If patching is delayed, block UDP 500 and 4500 at the perimeter for hosts that do not need IKE-based VPN.

CVE-2026-32201 (SharePoint Server, CVSS 6.5). The Patch Tuesday zero-day from April 14, still being exploited 22 days later. Affects SharePoint Server 2016, 2019, and Subscription Edition, including hybrid Microsoft 365. Action: Confirm April 14 patches deployed across all SharePoint farms including hybrid. Review authentication logs for unusual impersonation patterns since April 14.

CVE-2026-27681: The SAP SQL Injection Hiding in Plain Sight

Severity: CVSS 9.9 (Critical). Patched April 8. No confirmed exploitation as of May 6.

A low-privileged user uploads a file containing arbitrary SQL that runs against SAP Business Planning and Consolidation (BPC) and Business Warehouse (BW) databases. Onapsis and Pathlock independently flagged it as a credible path to data theft and business disruption (manipulated planning figures, deleted consolidation data). No public reports of in-the-wild exploitation as of today, but the CVSS 9.9 score and low attack complexity make it likely to appear on KEV within 30 to 60 days based on historical SAP patterns.

Action: Apply SAP Note 3747787 and the April BPC/BW patches. Audit recent file uploads to BW/BPC interfaces. Restrict SQL upload functions to authorized roles only.

Underground Context: Week Ending May 6, 2026

Across three Russian and English-language forums monitored by Scrutex Threat Insights, the past seven days saw:

Active trading of "fresh cPanel root" listings, with asking prices spanning $150 (single shared host) to $12,000 (~50K-account hosting provider). Listings spiked April 29-30 in correlation with the watchTowr PoC release
Three forum threads sharing modified Copy Fail (CVE-2026-31431) variants targeting specific RHEL minor versions while RHEL patches remained pending
Continued solicitation for "ScreenConnect access" listings, up another 22 percent week-over-week
Two posts referencing Mini Shai-Hulud token harvests being repackaged for resale, with attackers offering "fresh GitHub Actions secrets" sets
One commission-based offer to weaponize CVE-2026-33824 (Windows IKE) within 30 days of public PoC release

Confidence: medium. Indicators are consistent with normal post-disclosure weaponization cycles. Attribution to specific actors remains preliminary outside Microsoft's Storm-1175 attribution and CERT-UA's APT28 reporting.

Key Takeaways

The cPanel CVE-2026-41940 federal deadline passed May 3. Mass exploitation is confirmed and ongoing. Treat any internet-exposed cPanel server unpatched on April 29 as assumed-breach until proven otherwise.
Copy Fail (CVE-2026-31431) is the rare universal Linux LPE that works deterministically across every distribution since 2017. Patch all kernels. If patching is delayed, disable algif_aead.
Three KEV deadlines hit May 12: CVE-2026-32202 (Windows Shell, APT28), CVE-2024-1708 (ConnectWise, Storm-1175), and the rest of the Microsoft April 14 critical RCEs. Six days remain.
Mini Shai-Hulud is a wake-up for SAP shops on Node.js hygiene. Pin npm versions. Audit OIDC trusted publishers. Rotate secrets if exposure is suspected.
Underground chatter on five of these vulnerabilities is materially up week-over-week.

If you operate external-facing infrastructure across cPanel, Linux servers, Windows, ConnectWise, or SAP, your patch sequencing for the next seven days should follow the priority order above. Scrutex Vulnerability Insights tracks active exploitation status, dark web chatter, and patch availability for each CVE in your environment in one view, so the prioritization is automatic. Start free.

Frequently Asked Questions

My organization missed the cPanel May 3 deadline. What now?

Patch immediately and assume breach for any cPanel host that was internet-exposed on April 29 or later. Run cPanel's updated detection script (May 3 version), inspect /var/cpanel/sessions/raw/ for the indicator markers (user=root, hasroot=1, tfa_verified=1, successful_internal_auth_with_timestamp, multiple pass= lines), and audit cpsrvd access logs back to February 23, 2026. The federal deadline being passed does not change the technical remediation. It just makes the situation harder to defend in any compliance review.

Is Copy Fail (CVE-2026-31431) remotely exploitable?

No, not directly. Copy Fail is a local privilege escalation. It requires a foothold first (web RCE in an unprivileged service account, an SSH login, a malicious CI job, a container compromise). Once that foothold exists, Copy Fail escalates to root in seconds. The danger is the chain: any unauthenticated RCE that lands you as nobody or www-data becomes a root compromise the moment Copy Fail runs. Treat all Linux kernel patching for this CVE as urgent regardless of the absence of remote exploitability.

Three different deadlines. CVE-2026-41940 (cPanel) was May 3 (passed). CVE-2026-32202 (Windows Shell) and CVE-2024-1708 (ConnectWise) are May 12. CVE-2026-31431 (Copy Fail) is May 15. All under CISA Binding Operational Directive 22-01.

We use SAP CAP. How do we know if Mini Shai-Hulud hit us?

Check CI/CD logs, lockfiles, and developer machine npm caches for the four compromised package versions (mbt@1.2.48, @cap-js/db-service@2.10.1, @cap-js/postgres@2.2.2, @cap-js/sqlite@2.2.2) installed between April 29 09:55 UTC and 12:14 UTC. If exposure is confirmed, assume credentials are stolen. Rotate everything: SSH keys, GitHub and npm tokens, cloud credentials, Claude Code config, MCP config. Delete any GitHub repositories the malware created on developer accounts.

What is the longest the cPanel zero-day was being exploited before the patch?

At least 65 days. KnownHost confirmed in-the-wild exploitation as early as February 23, 2026. The patch shipped April 28. According to webhosting.today reporting, the vulnerability was reported to cPanel about two weeks before public advisory, and the initial vendor response was that nothing was wrong. The disclosure timeline is one of the more uncomfortable aspects of this incident.

Internal Link Suggestions

View on Scrutex

The eight CVEs and one supply chain breach in this radar are tracked live on the Scrutex platform. Active exploitation status, KEV deadlines, dark web chatter, and your specific asset exposure all scored in a single view.

Free tier, no credit card. All five modules included. Sign up at platform.scrutex.ai/sign-up.

Explore the platform on scrutex.ai

Vulnerability Insights. Active CVE tracking, KEV status alerts, exploitation context, and asset prioritization scoring. The view that turns this radar into your patch queue.
Threat Insights. Threat actor profiling, IOC feeds, ransomware tracking, and the underground chatter signals referenced throughout this post.
Data Exposure Insights. Dark web monitoring, paste sites, stealer logs, leaked credential alerts.
Brand Insights. Typosquatting, lookalike domains, fake social profiles, rogue mobile apps.
Vendor Insights. Third-party security scoring, vendor questionnaires, continuous TPRM correlation.