Active Exploitation of cPanel and Linux Kernel Vulnerabilities Sparks Security Alert
A critical authentication bypass flaw in cPanel and a high-reliability Linux kernel privilege escalation bug are both being actively exploited in the wild, prompting urgent warnings from security researchers and CISA.

A critical vulnerability in cPanel and WebHost Manager (WHM), tracked as CVE-2026-41940, is currently under active exploitation in the wild. The flaw allows for an authentication bypass, enabling remote attackers to gain elevated control over the affected control panels. In some instances, the impact has been severe, resulting in the complete deletion of websites and backups, while other campaigns have utilized the vulnerability to deploy Mirai botnet variants and a ransomware strain known as Sorry The Hacker News.
The exploitation of CVE-2026-41940 represents a significant security risk for hosting environments, as it provides attackers with unauthorized administrative access. By bypassing authentication mechanisms, threat actors can manipulate server configurations and data, effectively turning control panels into tools for malicious activity. The observed deployment of botnets and ransomware highlights the diverse and destructive objectives of the attackers targeting this specific flaw The Hacker News.
In addition to the cPanel threat, the cybersecurity landscape is grappling with a high-impact Linux kernel vulnerability, CVE-2026-31431, which has been added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. This logic bug, located in the kernel's authentication cryptographic template, allows for trivial privilege escalation. The exploit is reportedly 100% reliable and can be triggered using a 732-byte Python-based script The Hacker News.
The vulnerability, often referred to as "Copy Fail," stems from a 2017 kernel update intended to optimize data encryption, meaning all major Linux distributions released since that year are potentially affected. Because the exploit operates entirely in memory, it leaves no traces on the disk, complicating detection efforts. Furthermore, the flaw enables container escape from any pod within a Kubernetes cluster, posing a severe risk to cloud-native environments The Hacker News.
These developments underscore a broader trend where attackers are increasingly focused on exploiting foundational infrastructure and supply chain components. As cybercrime groups refine their tactics—ranging from vishing-based SaaS environment compromises to the exploitation of kernel-level logic bugs—organizations face a shifting threat landscape where the speed of exploitation often outpaces traditional patching cycles. Security teams are urged to prioritize updates for both cPanel/WHM and Linux kernel distributions to mitigate these active threats The Hacker News.