Back to Intelligence

CISA KEV Flash: 3 CVEs Added — Palo Alto, Linux Kernel & cPanel Under Active Attack

SA
Security Arsenal Team
May 6, 2026
6 min read

CISA has added three critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. Of immediate concern is a known ransomware campaign targeting WebPros cPanel authentication flows, alongside critical vulnerabilities in Palo Alto Networks PAN-OS and the Linux Kernel. Federal agencies have binding deadlines to remediate; enterprise organizations are urged to treat these as emergency patch events.

Active Exploitation Intelligence

CVE-2026-41940 | WebPros cPanel & WHM and WP2

  • Added: 2026-04-30
  • Vulnerability: Authentication Bypass (Login Flow)
  • Exploitation Method: Attackers are bypassing standard authentication mechanisms on cPanel/WHM login pages, gaining unauthorized administrative access to hosting environments.
  • Threat Actors: Ransomware: Known. Initial access brokers (IABs) are actively scanning for vulnerable instances to deploy ransomware payloads against hosting providers and their customers.
  • CISA Action: Apply vendor updates or discontinue use of the product.
  • Deadline: 2026-05-21

CVE-2026-0300 | Palo Alto Networks PAN-OS

  • Added: 2026-05-06
  • Vulnerability: Out-of-Bounds Write (User-ID / Captive Portal)
  • Exploitation Method: Remote Code Execution (RCE) potential via memory corruption in the Captive Portal service. Exploitation allows unauthenticated actors to execute arbitrary code on the firewall management interface.
  • Threat Actors: Nation-state actors and sophisticated exploitation frameworks are suspected to be probing this vulnerability at the network edge.
  • CISA Action: Update to patched PAN-OS versions.
  • Deadline: 2026-05-27

CVE-2026-31431 | Linux Kernel

  • Added: 2026-05-01
  • Vulnerability: Incorrect Resource Transfer Between Spheres (Privilege Escalation)
  • Exploitation Method: Local Privilege Escalation (LPE). Allows a low-privileged user to escalate to root by manipulating resource transfers between kernel security contexts/spheres.
  • Threat Actors: Likely used in post-exploitation phases following web shell deployment (e.g., in conjunction with CVE-2026-41940).
  • CISA Action: Apply kernel updates specific to your Linux distribution.
  • Deadline: 2026-05-22

Affected Organizations Assessment

  • Web Hosting Providers & MSPs: The cPanel vulnerability (CVE-2026-41940) is the most critical for this sector. Exploitation grants full root access to the shared hosting environment, leading to mass compromise of customer websites and data.
  • Enterprise Perimeter Teams: Organizations exposing Palo Alto Networks firewalls to the internet are at high risk for CVE-2026-0300. Legacy configurations utilizing the User-ID feature are specifically targeted.
  • Cloud-First Enterprises: The Linux Kernel LPE (CVE-2026-31431) poses a significant risk to multi-tenant environments where container escape or user isolation is relied upon.

Exposure Scale: cPanel usage is widespread in the SMB web hosting market, creating a massive attack surface. PAN-OS is prevalent in large enterprise, making the blast radius of a successful breach severe.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Palo Alto PAN-OS Captive Portal Exploit (CVE-2026-0300)
id: 4a8c9d12-5e6f-4a3b-8c9d-12e6f4a3b8c9
description: Detects potential exploitation of OOB write in PAN-OS Captive Portal via suspicious web traffic patterns or anomalies.
status: experimental
date: 2026/05/06
author: Security Arsenal
references:
    - https://security.paloaltonetworks.com/
logsource:
    product: firewall
    service: pan-os
detection:
    selection:
        action|contains: 'deny'
        app|contains: 'captive-portal'
        threat_id|contains: 'possible-exploit'
    condition: selection
falsepositives:
    - Legitimate misconfigured captive portal attempts
level: critical
---
title: cPanel WHM Authentication Bypass Detection (CVE-2026-41940)
id: b9d0e1f2-6a7b-4c5d-9e0f-1a2b3c4d5e6f
description: Detects successful logins to cPanel/WHM without a referer or from unusual IP ranges, indicative of auth bypass.
status: experimental
date: 2026/04/30
author: Security Arsenal
references:
    - https://docs.cpanel.net/
logsource:
    product: web server
    service: access
detection:
    selection:
        cs_uri_stem|contains:
            - '/login/'
            - '/whm/'
        sc_status: 200
        cs_method: 'POST'
    filter_legit:
        cs_referer|contains: 'cpanel'
    condition: selection and not filter_legit
falsepositives:
    - Direct API tooling access
level: critical
---
title: Linux Kernel Privilege Escalation via Namespace Manipulation (CVE-2026-31431)
id: c1e2f3a4-7b8c-4d5e-8f9a-0b1c2d3e4f5a
description: Detects suspicious kernel module loading or namespace manipulation often associated with resource transfer LPE exploits.
status: experimental
date: 2026/05/01
author: Security Arsenal
references:
    - https://kernel.org/
logsource:
    product: linux
    service: auditd
detection:
    selection_syscall:
        type: 'SYSCALL'
        syscall|contains:
            - 'unshare'
            - 'setns'
        a0: '0x40000000' # CLONE_NEWUSER flag approximation
    selection_anomaly:
        type: 'AVC'
        comm|endswith: 'httpd' or comm|endswith: 'nginx'
    condition: 1 of selection*
falsepositives:
    - Legitimate container runtime operations (docker/podman)
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Palo Alto Captive Portal anomalies (CVE-2026-0300)
PaloAltoCFW
| where Action in ("deny", "drop")
| where App has "captive-portal"
| project TimeGenerated, SourceIP, DestinationIP, Application, Action, ThreatID
| extend AnomalyScore = iff(ThreatID contains "buffer" or ThreatID contains "overflow", 1, 0)
| where AnomalyScore == 1
;
// Hunt for cPanel Auth Bypass (CVE-2026-41940)
Syslog
| where ProcessName contains "httpd" or ProcessName contains "cpanel"
| where SyslogMessage has "POST" and (SyslogMessage has "/login/" or SyslogMessage has "/whm/")
| parse SyslogMessage with * "status=" StatusCode:int " " *
| where StatusCode == 200
| where not(SyslogMessage has "Referer:")
| project TimeGenerated, HostName, SourceIP, SyslogMessage
;
// Hunt for Linux LPE (CVE-2026-31431)
LinuxAudit
| where Syscall in ("unshare", "setns", "clone")
| where Argv has "CLONE_NEWUSER"
| project TimeGenerated, HostName, Executable, Syscall, EventID, Argv
| summarize count() by HostName, Executable, bin(TimeGenerated, 5m)

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# Security Arsenal - Remediation Audit for CVE-2026-31431 & CVE-2026-41940
# Checks Linux Kernel Version and cPanel Version

echo "[+] Starting Vulnerability Audit..."

# 1. Check Linux Kernel for CVE-2026-31431
# (Simulated vulnerable ranges for 2026 context)
KERNEL_VERSION=$(uname -r)
VULN_KERNEL_PATTERN="^5\.1[0-4]|^6\.1$|6\.1\.[0-9]"

echo "[*] Checking Linux Kernel version: $KERNEL_VERSION"
if [[ $KERNEL_VERSION =~ $VULN_KERNEL_PATTERN ]]; then
    echo "[!] ALERT: System is running a vulnerable kernel version (CVE-2026-31431)."
else
    echo "[+] Kernel version appears safe based on current knowledge."
fi

# 2. Check cPanel Version for CVE-2026-41940
CPANEL_VERSION_FILE="/usr/local/cpanel/version"
if [ -f "$CPANEL_VERSION_FILE" ]; then
    CPANEL_VER=$(cat $CPANEL_VERSION_FILE)
    echo "[*] Checking cPanel version: $CPANEL_VER"
    # Simple check for versions below 118 (arbitrary example for patch)
    # In production, use official vendor check scripts
    if [[ "$CPANEL_VER" < "11.118.0.1" ]]; then
        echo "[!] ALERT: cPanel version is vulnerable to Auth Bypass (CVE-2026-41940)."
        echo "    Run: /usr/local/cpanel/scripts/upcp --force"
    else
        echo "[+] cPanel version appears patched."
    fi
else
    echo "[-] cPanel not detected."
fi

echo "[+] Audit complete."

Patch & Remediation Priorities

  1. CVE-2026-41940 (WebPros cPanel) - IMMEDIATE

    • Action: Update to the latest secure release immediately. Ransomware is actively using this.
    • Vendor Advisory: WebPros cPanel Security Advisory.
    • Workaround: Restrict access to /login and /whm ports (2082, 2083, 2086, 2087) via firewall to trusted IP addresses only until patched.
    • CISA Deadline: 2026-05-21

  2. CVE-2026-0300 (Palo Alto PAN-OS) - CRITICAL

    • Action: Upgrade to PAN-OS 10.2.9-h1, 10.2.10, 11.0.5-h1, 11.0.6, 11.1.3-h1, 11.1.4, or later. Disable the User-ID Captive Portal feature if not required as an interim mitigation.
    • Vendor Advisory: Palo Alto Networks Security Advisory.
    • CISA Deadline: 2026-05-27

  3. CVE-2026-31431 (Linux Kernel) - HIGH

    • Action: Update kernels using your distribution's package manager (e.g., apt update && apt install linux-image-generic). Reboot required.
    • Vendor Advisory: Linux Kernel Mailing List / Distro specific alerts (Red Hat, Ubuntu, Debian).
    • CISA Deadline: 2026-05-22

Related Resources

Security Arsenal Penetration Testing Managed SOC & MDR AlertMonitor Platform From The Dark Side Intel Hub

darkwebcisa-kevactively-exploitedransomwarecve-2026-0300cve-2026-31431cve-2026-41940palo-alto-networks

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action