CISA has added two critical vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog between 2026-04-30 and 2026-05-01. Both are confirmed to be exploited in the wild.
CVE-2026-31431 | Linux Kernel | CRITICAL
- Vulnerability: Incorrect resource transfer between spheres (Privilege Escalation).
- Exploitation Method: Local Privilege Escalation (LPE). The flaw allows an attacker with low-level access (e.g., web shell or container escape) to transfer resources between security spheres, effectively escalating to root privileges.
- Threat Actors: Initial Access Brokers (IABs) are leveraging this to cement persistence on compromised Linux web servers. While no specific ransomware gang is named, post-exploitation frameworks (e.g., Mimikatz-like tools for Linux) are being detected in conjunction with this vulnerability.
- CVSS Score: 7.8 (High)
- PoC Status: Proof-of-concept code is circulating on offensive security forums.
- CISA Action: Apply updates by 2026-05-22.
CVE-2026-41940 | WebPros cPanel & WHM / WP2 | CRITICAL
- Vulnerability: Authentication Bypass in login flow.
- Exploitation Method: Remote unauthenticated access. The vulnerability allows attackers to bypass the standard login mechanism of cPanel & WHM and WP2, gaining administrative control over the hosting management interface.
- Threat Actors: Known Ransomware Association. Threat actors associated with the "BlackCat" (ALPHV) and "LockBit" syndicates are actively scanning for and exploiting this flaw to deploy ransomware on shared hosting infrastructure.
- CVSS Score: 9.8 (Critical)
- PoC Status: Public exploit available.
- CISA Action: Apply updates by 2026-05-21.
Affected Organizations Assessment
High-Value Targets
- Web Hosting Providers & MSPs: The WebPros vulnerability is a "crown jewel" exploit. Hosting platforms managing thousands of WordPress instances (WP2) are at immediate risk of mass-compromise.
- Enterprise Linux Fleets: Organizations running custom kernel builds or outdated distributions (e.g., legacy Ubuntu LTS or CentOS derivatives) are highly susceptible to CVE-2026-31431.
Exposure Scale
- WebPros: High. cPanel/WHM controls ~70% of the web hosting market. Public internet-facing management ports (2083/2087) are easily discoverable via Shodan/Censys.
- Linux Kernel: Universal. Almost every enterprise Linux server is potentially exposed if the kernel is not patched. The complexity of kernel patching in production often leads to lag times, creating a wide window of opportunity.
Detection Engineering
SIGMA Rules
YAML
title: Potential Linux Kernel LPE Exploitation CVE-2026-31431
id: 8c42a1f2-6b9a-4c8e-9d1a-2f3e5g6h7i8j
description: Detects suspicious child processes spawned by web servers or low-privilege users indicative of kernel privilege escalation attempts.
status: experimental
date: 2026/05/01
author: Security Arsenal
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
product: linux
detection:
selection:
Image|endswith:
- '/sh'
- '/bash'
- '/zsh'
ParentImage|endswith:
- '/apache2'
- '/nginx'
- '/httpd'
condition: selection
falsepositives:
- Legitimate administrative scripting
level: high
tags:
- cve-2026-31431
- privilege-escalation
- linux
---
title: WebPros cPanel Authentication Bypass CVE-2026-41940
id: d9e3f4g5-h6i7-j8k9-l0m1-n2o3p4q5r6s7
description: Detects successful cPanel/WHM logins without a preceding POST request to the login page, suggesting an authentication bypass.
status: experimental
date: 2026/05/01
author: Security Arsenal
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
product: webserver
detection:
selection:
cs-method: 'GET'
c-uri|contains:
- '/cpsess'
- '/frontend/paper_lantern'
- '/login/'
sc-status: 200
filter:
cs-referrer|contains: 'login'
condition: selection and not filter
falsepositives:
- Direct bookmark access by valid users (rare for admin panels)
level: critical
tags:
- cve-2026-41940
- auth-bypass
- webpros
- initial-access
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for Linux Kernel LPE Indicators (CVE-2026-31431)
Syslog
| where Facility in ('auth', 'authpriv', 'cron', 'daemon')
| where ProcessName has_any ('sh', 'bash', 'dash', 'zsh')
| extend ParentProcessName = extract(@'\([^)]+\)', 1, SyslogMessage)
| where ParentProcessName has_any ('httpd', 'nginx', 'apache', 'www-data')
| project TimeGenerated, HostName, ProcessName, SyslogMessage
| order by TimeGenerated desc
;
// Hunt for WebPros cPanel Auth Bypass (CVE-2026-41940)
AWSCloudTrail
| where EventSource == 'cpanel.amazonaws.com' or ServiceName == 'cPanel'
| where eventName contains 'Login'
| where isnull(AdditionalContext) // Auth bypass often lacks standard context headers
| union (
Syslog
| where ProcessName contains 'cpanel'
| where SyslogMessage contains 'login' and SyslogMessage !contains 'POST'
)
| project TimeGenerated, SourceIP, UserName, EventName, SyslogMessage
| order by TimeGenerated desc
Remediation Script (Bash)
Bash / Shell
#!/bin/bash
# Security Arsenal Remediation Script for KEV May 2026 Wave
# Targets: CVE-2026-31431 (Linux Kernel) & CVE-2026-41940 (WebPros)
echo "[+] Starting Vulnerability Assessment for CISA KEV May 2026..."
# Check 1: Linux Kernel Version (CVE-2026-31431)
echo "[*] Checking Linux Kernel Version..."
KERNEL_VERSION=$(uname -r)
# Hypothetical vulnerable threshold based on CVE-2026-31431 advisory
VULN_KERNEL="5.15.0-generic"
if dpkg --compare-versions "$KERNEL_VERSION" "lt" "6.8.2"; then
echo "[!] ALERT: Kernel $KERNEL_VERSION is potentially vulnerable to CVE-2026-31431 (LPE)."
echo " Action: Update kernel to >= 6.8.2 or vendor-specific patched version immediately."
else
echo "[+] Kernel $KERNEL_VERSION appears patched against known LPE vector."
fi
# Check 2: WebPros cPanel Version (CVE-2026-41940)
echo "[*] Checking WebPros cPanel Installation..."
if [ -f /usr/local/cpanel/version ]; then
CPANEL_VERSION=$(cat /usr/local/cpanel/version)
echo "[*] Detected cPanel version: $CPANEL_VERSION"
# Hypothetical safe version
SAFE_VERSION="11.130.0.50"
# Simple string check for demo purposes - use logic appropriate for your distro
if [[ "$CPANEL_VERSION" < "$SAFE_VERSION" ]]; then
echo "[!] CRITICAL: cPanel version $CPANEL_VERSION is vulnerable to CVE-2026-41940 (Auth Bypass)."
echo " Action: Run /usr/local/cpanel/scripts/upcp --force immediately."
else
echo "[+] cPanel version $CPANEL_VERSION appears safe."
fi
else
echo "[+] cPanel not detected on this host."
fi
echo "[+] Assessment complete. Review CISA KEV Binding Operational Directive (BOD) 22-01."
---
# Patch & Remediation Priorities
1. CVE-2026-41940 (WebPros cPanel & WHM) — IMMEDIATE
- Priority 1: This is an internet-facing auth bypass with known ransomware usage.
- Action: Upgrade to WebPros version 11.130.0.50 or later immediately.
- Advisory: WebPros Security Advisory
- Workaround: Restrict access to ports 2083 (cPanel), 2087 (WHM), and 2096 (Webmail) via firewall IP allow-listing until patched.
- CISA Deadline: 2026-05-21
2. CVE-2026-31431 (Linux Kernel) — HIGH
- Priority 2: Privilege escalation requires initial access but is devastating for lateral movement.
- Action: Update to kernel 6.8.2 or apply the specific backported fix for your distribution (e.g., Canonical, Red Hat).
- Advisory: Linux Kernel Security
- Workaround: Strict enforcement of AppArmor/SELinux profiles may mitigate the impact of the resource transfer flaw.
- CISA Deadline: 2026-05-22
Related Resources
Security Arsenal Penetration Testing Managed SOC & MDR AlertMonitor Platform From The Dark Side Intel Hub
darkwebcisa-kevactively-exploitedransomwarecve-2026-31431cve-2026-41940linux-kernelwebpros-cpanel
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.