CopyFail, Unauthenticated RCE, and the Threats Your Linux Server Is Facing Right Now
Two vulnerability stories broke in the last 24 hours. One has been hiding in plain sight since 2017. The other requires zero authentication to exploit. Both affect infrastructure that UK small businesses either run directly or depend on through managed service providers.
Neither requires a nation-state attacker. They require an unpatched system and an attacker who reads the same security feeds your MSP should be reading.
Story One: CopyFail (CVE-2026-31431)
On 30 April 2026, security firm Theori published details of a local privilege escalation vulnerability they named CopyFail. The CVE identifier is CVE-2026-31431.
The plain English version: any unprivileged user who already has a local account on a vulnerable Linux system can escalate their permissions to root. Root means complete control. Root means they can read every file, modify every configuration, install anything, and cover their tracks.
The vulnerability is a logic error in the Linux kernel’s copy_file_range system call. It has been present in virtually every major Linux distribution released since 2017. Debian, Ubuntu, and SUSE have all confirmed the vulnerability and published patches. Public exploit code is now circulating. The window between “published” and “actively exploited in the wild” is closing.
Ars Technica describes this as “the most severe Linux threat to surface in years.”
Who this affects in practice:
Multi-tenant servers. Shared hosting environments. Cloud virtual machines where multiple workloads share a kernel. CI/CD pipeline runners. Any Linux system where more than one user, or more than one application, has local access.
For UK small businesses, the most common exposure is indirect: your MSP manages Linux servers on your behalf, or your website runs on shared Linux hosting, or your cloud infrastructure uses Linux virtual machines under the hood. You may not even know Linux is in your stack. That does not make you immune.
What the patch situation looks like:
Patches exist. Debian, Ubuntu, and SUSE have published fixes. The question is not whether the patch is available. The question is whether your systems have it applied.
This is the gap that costs businesses. The vulnerability is fixed in the repository. It is not fixed on your server until someone runs the update.
Story Two: CVE-2025-71284, CVSS 9.8 in Synway SMG Gateway Software
This one is more targeted but arguably more immediately dangerous for any business that has a Synway SMG Gateway Management device on their network.
The vulnerability is an OS command injection flaw in the RADIUS configuration endpoint of Synway SMG Gateway Management Software. The specific endpoint is /en/9-2radius.php. The radius_address POST parameter is passed directly into a shell command without any sanitisation.
Translation: an unauthenticated remote attacker, someone with no account on your system whatsoever, can send a crafted HTTP POST request to that endpoint and execute arbitrary shell commands on your gateway device. CVSS score 9.8. No credentials required.
Gateway devices sit at the edge of your network. Compromising one gives an attacker a foothold from which to move laterally into the rest of your infrastructure. This is not a theoretical risk; it is the standard playbook.
If you use Synway SMG hardware, the immediate action is to confirm that the management interface is not exposed to the internet. It should be on an isolated management network or accessible only via VPN. If it is internet-facing right now, that needs to change today.
The Pattern Both Threats Share
Neither of these vulnerabilities requires a sophisticated adversary. They require an attacker with time, access to public information, and a target that has not patched.
The Shadowserver Foundation noted exploitation evidence for the Synway vulnerability as far back as 2022 in related software. CopyFail has been sitting in the kernel since 2017 without anyone catching it until an AI-assisted research process surfaced it this week.
The uncomfortable conclusion is not that these vulnerabilities are exceptional. It is that infrastructure is routinely left unpatched, and attackers are patient.
For UK SMBs, the specific risk is the MSP layer. You are relying on a managed service provider to maintain your infrastructure. The quality of their patch management is invisible to you unless you ask. Most businesses do not ask.
How to Use This as a Competitive Differentiator
If you supply services to larger organisations, or if you handle client data in any capacity, your security posture is increasingly being scrutinised in procurement processes.
Being able to demonstrate that your infrastructure is patched against current, named vulnerabilities is a concrete differentiator. It is verifiable. It is specific. It answers the question “how do you know your systems are secure?” with evidence rather than reassurance.
A business that can say “we confirmed CopyFail patches were applied within 48 hours of the advisory” is a different kind of supplier than one that says “we take security seriously.”
Document the process. Keep a log of patch confirmations. That log is both your evidence and your negotiating position.
Making the Case to Your Board or Budget Holder
The patch is free. The breach is not. CopyFail patches are available at no cost from Debian, Ubuntu, and SUSE. The ICO’s average fine for a notifiable breach involving personal data is not. Apply that calculation.
Your MSP’s patch discipline is your liability. Under UK GDPR, you are responsible for the security of personal data your organisation holds, including data on systems managed by third parties. If your MSP’s patch management is inadequate, the regulatory exposure sits with you, not them.
Public exploit code changes the risk profile. Vulnerabilities with public exploit code are not theoretical. The effort required to exploit them drops significantly once working code is circulating. The risk calculation today is materially different from the risk calculation last week.
What to Do This Week
1. Ask your MSP a direct question. Contact your managed service provider today and ask: which Linux systems do you manage on our behalf, and have CopyFail patches (CVE-2026-31431) been applied? Require a written confirmation, not a verbal reassurance. If they cannot answer within 24 hours, that is itself informative.
2. Audit your internet-facing infrastructure. If you manage any Linux systems directly, or if you can access your hosting control panel, check what is exposed to the internet. Management interfaces for network devices including gateways should never be publicly accessible. If they are, restrict access to your office IP range or route access through a VPN.
3. Check your Synway SMG deployments. If you have Synway SMG Gateway Management Software in use, confirm the management interface is isolated from the public internet. Contact the vendor for patch status if you are unsure.
4. Establish a patch confirmation process. A spreadsheet tracking critical CVEs, the systems they affect, and confirmation dates is not sophisticated IT governance. It is 30 minutes of work that creates an audit trail. Start one.
5. Review your MSP contract. Check whether your managed service agreement specifies patch response timeframes for critical vulnerabilities. If it does not, that is a gap to address at your next contract review. If it does, this week is a reasonable opportunity to test compliance.
| Source | Article |
|---|---|
| Ars Technica | The most severe Linux threat to surface in years catches the world flat-footed |
| The Hacker News | New Linux ‘Copy Fail’ Vulnerability Enables Root Access on Major Distributions |
| Theori / copy.fail | CopyFail: Linux local privilege escalation via copy_file_range (CVE-2026-31431) |
| NIST NVD | CVE-2025-71284: Synway SMG Gateway OS Command Injection (CVSS 9.8) |
| Security.nl | Copy Fail-kwetsbaarheid in Linux maakt lokale gebruiker root |
| Ubuntu Security | CVE-2026-31431 Ubuntu Security Notice |
| Debian Security Tracker | CVE-2026-31431 Debian Security Tracker |