Threat Analysis: CVE-2026-41940 cPanel Zero-Day, Linux Copy Fail LPE, and UK Breach Rate Holds at 43%
Hello, Mauven here.
This is your Daily Threat Analysis for 30th April 2026.
Three items today. Two of them require immediate action if they apply to your infrastructure. The third is a number that should make every SMB owner uncomfortable — not because it is surprising, but precisely because it is not.
CVE-2026-41940: cPanel and WHM Authentication Bypass — Actively Exploited Since February
Let us start with the one that is already in play.
CVE-2026-41940 is a critical authentication bypass vulnerability in cPanel, WHM, and WP Squared. Emergency patches are available as of today. What the vendor announcement does not lead with — but the reporting makes clear — is that this vulnerability has been exploited in the wild since at least late February 2026. That is approximately two months of active exploitation before a public patch and a proof-of-concept both arrived on the same day.
The PoC is now publicly available. That changes the threat calculus considerably. Before today, exploitation required a degree of technical capability. From today, the barrier is substantially lower.
What this means operationally: cPanel and WHM are the control panels sitting behind a very large proportion of shared and managed web hosting. If you run an e-commerce site, a booking system, a client portal, or any web property on managed hosting, there is a reasonable probability that cPanel is involved somewhere in that chain — even if you never interact with it directly. The relevant question is not whether you use cPanel. The relevant question is whether your hosting provider does, and whether they have applied the emergency patch.
What to do:
- Contact your managed hosting provider or web agency today and ask specifically whether they run cPanel or WHM and whether they have applied the CVE-2026-41940 emergency patch.
- If you manage your own hosting directly: patch immediately. Do not schedule this for next week.
- If your provider cannot confirm patch status within 24 hours, escalate.
The advisory attributes active exploitation to attempts going back to late February. What it does not say — and what is worth noting — is that two months of unpatched exploitation on hosting infrastructure typically means credential harvesting, webshell deployment, and persistence. If you are a cPanel user and you have seen anything anomalous in your hosting environment since February, that timeline is now relevant.
‘Copy Fail’: Linux Local Privilege Escalation, Public Exploit Available
A public exploit was released today for a local privilege escalation vulnerability in the Linux kernel, affecting kernels dating back to 2017. The vulnerability has been dubbed ‘Copy Fail’ by researchers. An unprivileged local attacker can use it to gain root permissions on affected systems.
The important qualifier here is local. This is not a remote code execution vulnerability. An attacker needs existing access to the system — a shell, an unprivileged account, access through another vulnerability — before Copy Fail becomes useful. That qualifier matters, but it does not mean you can deprioritise it.
In practice, local privilege escalation vulnerabilities are how attackers go from a foothold to full system compromise. You get in through a misconfigured service, a stolen credential, or a web application vulnerability. Then you escalate. Copy Fail is the second stage of that chain, and now that a public exploit exists, any attacker with initial access to a Linux system has a reliable path to root.
The affected kernel range — 2017 to present — means this covers the vast majority of Linux systems in active use. Ubuntu, Debian, RHEL, CentOS derivatives: all affected on unpatched kernels.
What to do:
- Apply kernel updates on all Linux systems. This includes servers, cloud instances, and VPS environments.
- If you manage Linux infrastructure through an MSP or managed service, confirm patching status today.
- If your systems cannot be immediately patched — legacy infrastructure, compatibility constraints — ensure that other controls are in place: minimise the number of accounts with local access, review audit logs for privilege escalation attempts.
The NCSC has published guidance on vulnerability management and patching cadence. The fact that a kernel vulnerability from this year, with a public exploit, requires me to remind organisations to patch tells you something about where patching sits in the priority queue for many businesses.
43% of UK Businesses Breached Last Year. Phishing Is Still the Vector.
Today’s reporting on the UK government’s latest Cyber Security Breaches Survey puts the annual breach rate for UK businesses at approximately 43%. The primary attack vector remains phishing.
I want to be precise about what this statistic does and does not tell you. A ‘breach’ in this context covers a broad range — from a phishing email that was received and reported but not acted upon, through to full network compromise. The serious end of that spectrum is not 43% of UK businesses. But the fact that nearly half of UK businesses experienced some form of security incident significant enough to register — and that phishing remains the lead mechanism — is a data point that resists comfortable interpretation.
Phishing is not new. The NCSC has published guidance, training resources, and sector-specific advice on phishing defence for years. The organisations appearing in that 43% figure are not, for the most part, organisations that have never heard of phishing. They are organisations where the gap between awareness and effective defence has not been closed.
That gap has several common shapes:
- Annual security awareness training delivered as a PowerPoint that nobody watches
- No simulated phishing programme to test whether training translates to behaviour
- MFA not deployed across all user accounts, meaning a clicked link and a credential harvested is a full account compromise
- No technical controls — DMARC, DKIM, SPF — properly configured to reduce spoofing and impersonation
If your IT provider tells you that you are too small to be a target, ask them how they explain 43%.
Minimum baseline for phishing defence:
- MFA on all accounts, particularly email and any SaaS platforms with access to financial or client data
- DMARC policy configured and set to at least quarantine; rejection is the target
- Regular simulated phishing — not annual, not optional
- A clear, low-friction process for staff to report suspected phishing without fear of consequence
Wider Context: China-Linked Activity in European Critical Infrastructure
For completeness: The Register reported today, in an exclusive, on a novel China-linked threat group that has been active in more than a dozen critical networks in Poland and across Asian countries since December 2024, with activity confirmed as recently as this month. The group uses command-and-control infrastructure operating on a sleep cycle — designed to minimise detection by blending into normal network traffic patterns.
This is not a direct threat to UK SMBs. I am not going to pretend it is. But it is relevant context. Chinese state-linked activity in European critical infrastructure — Poland is a NATO member and a significant logistics hub — is part of the same threat landscape that UK businesses operate in. Supply chain exposure, shared infrastructure, and downstream effects from critical sector compromise are all real pathways. This one is worth watching.
Summary: What to Do Today
| Priority | Action | Timeframe |
|---|---|---|
| Critical | Contact hosting provider re: CVE-2026-41940 cPanel patch status | Today |
| Critical | Apply Linux kernel updates on all managed systems | Today |
| High | Verify MFA is enabled on all user accounts | This week |
| High | Check DMARC configuration and policy level | This week |
| Ongoing | Review phishing awareness programme — is it actually working? | This quarter |
Sources
| Source | Title | URL |
|---|---|---|
| BleepingComputer | Critical cPanel and WHM bug exploited as a zero-day, PoC now available | https://www.bleepingcomputer.com/news/security/critical-cpanel-and-whm-bug-exploited-as-a-zero-day-poc-now-available/ |
| The Register | Bug of the year (so far): Nasty cPanel vulnerability probably exploited as a 0-day | https://www.theregister.com/2026/04/30/cpanel_whn_cves/ |
| BleepingComputer | New Linux ‘Copy Fail’ flaw gives hackers root on major distros | https://www.bleepingcomputer.com/news/security/new-linux-copy-fail-flaw-gives-hackers-root-on-major-distros/ |
| The Register | Nearly half of UK businesses pwned last year as phishing keeps doing the job like it’s 2005 | https://www.theregister.com/2026/04/30/almost_half_of_uk_firms/ |
| The Register | Novel Chinese spy group found in critical networks in Poland, Asia | https://www.theregister.com/2026/04/30/chinese_spies_lurking_networks/ |