cPanel Under Active Attack, MOVEit Is Back, and Your Router Is Probably Compromised: The 5 May 2026 Brief

Cyber Security News

cPanel Under Active Attack, MOVEit Is Back, and Your Router Is Probably Compromised: The 5 May 2026 Brief

By Corrine Jefferson ·

Two items from yesterday’s intelligence feed warrant immediate attention from anyone running a UK small business, or advising one. A third item is worth understanding before it becomes your problem.

This is not a drill. CISA’s Known Exploited Vulnerabilities catalogue does not deal in hypotheticals.

Story One: cPanel Is Being Actively Exploited Right Now

CISA added two vulnerabilities to its KEV catalogue on 4 May 2026. One of them is in cPanel (CVE-2026-41940), the web hosting control panel that sits behind an enormous proportion of UK small business websites and hosting accounts.

KEV inclusion means one specific thing: confirmed, active exploitation in the wild. Not proof-of-concept. Not theoretical. Attackers are using this now.

cPanel is the interface your hosting provider probably uses to manage your web hosting, email accounts, databases, and file storage. An authentication bypass in cPanel means an attacker who can reach your hosting panel login page may be able to get in without valid credentials.

The business consequence is not abstract. Compromised hosting accounts are used to plant malware on customer-facing websites, steal email credentials, exfiltrate customer data, and establish persistent access for later ransomware deployment.

What to do: Contact your hosting provider today. Ask them directly: have you patched CVE-2026-41940? If they cannot answer that question, that is itself useful information about the quality of your hosting relationship. If you manage your own server with cPanel installed, apply the vendor update immediately.

Story Two: MOVEit Has a New Critical Authentication Bypass

Progress Software disclosed two vulnerabilities in MOVEit Automation on 4 May 2026. The headline one is CVE-2026-4670, a critical authentication bypass carrying the highest severity rating.

MOVEit Automation is a file transfer tool used by organisations that need to move data between internal systems, external partners, and cloud platforms automatically. It tends to appear in supply chains: accountancy firms moving client data, legal practices sharing documents, payroll processors exchanging files with HMRC integrations.

This matters to small businesses even if they do not use MOVEit directly. If your accountant, your payroll provider, or your legal firm uses MOVEit Automation and has not patched, your data may be in the blast radius.

MOVEit’s previous major vulnerability in 2023 (CVE-2023-34362) resulted in mass exploitation affecting thousands of organisations globally, including significant UK public sector and private sector data breaches. The Cl0p ransomware group weaponised it within days of public disclosure.

Progress has released patches for CVE-2026-4670. The patch exists. The question is whether every organisation in your supply chain has applied it.

What to do: If your business uses MOVEit directly, apply the Progress patch immediately. If your business relies on third parties who handle your data, ask them whether they use MOVEit Automation and whether CVE-2026-4670 has been patched. This is a legitimate question to put to any data processor under your GDPR obligations as a data controller.

Story Three: Two Totolink Router Models With Public Exploits

Two Totolink router models received CVSS 9.8 severity ratings for buffer overflow vulnerabilities published on 4 May 2026: CVE-2026-7719 affecting the WA300, and CVE-2026-7747 affecting the N300RH.

The critical detail is not just the severity score. It is that public exploits have already been released. The attack tools exist and are circulating.

Totolink is a budget router brand that appears in small offices, retail units, and home setups across the UK. These are the routers that cost under fifty pounds and get forgotten about for years. Buffer overflow vulnerabilities in the login function mean an attacker who can reach the router’s management interface over the network can potentially execute arbitrary code: take control of the device, intercept traffic, pivot into the internal network, or use the compromised router as a staging point for further attacks.

This is relevant to small businesses because budget network hardware represents exactly the kind of invisible infrastructure that does not appear in anyone’s asset register and never gets patched.

What to do: Check whether your office uses either affected model. Log into your router’s admin page and check the model name and firmware version. If you have a Totolink WA300 or N300RH, check the vendor site for a firmware update. If no update is available or the device is end of life, replace it. A managed router from a reputable vendor with automatic firmware updates is not an extravagance; it is a basic control.

Why This Pattern Matters

Three separate stories. One common thread.

All three involve infrastructure that small businesses treat as invisible: the hosting panel managed by someone else, the file transfer system used by a supplier, the router that has been plugged in since the office moved in 2021. None of them appear on most small business risk registers. All of them are active attack surface.

Attackers targeting small businesses do not typically break through the front door. They find the service entrance that nobody is watching. A forgotten cPanel installation, a third-party data processor running unpatched MOVEit, a budget router with a public exploit and default credentials. That is the actual threat model.

The supply chain risk guide covers the broader picture of how small businesses inherit risk from their suppliers and service providers. The pattern from this week’s intelligence fits that model precisely.

How to Use This as a Business Differentiator

If you manage IT for clients, or if you are a small business owner who takes security seriously, the ability to respond to a specific, named, confirmed vulnerability within 24 hours of its public disclosure is not a small thing.

Most small businesses will never know that cPanel was added to the KEV catalogue. Most will not know what MOVEit is, let alone whether their accountant uses it. The business that can call its hosting provider and ask a specific question about a specific CVE, and document that conversation, is demonstrating a security posture that is measurably better than its competitors.

For businesses seeking Cyber Essentials certification, patch management is a core control. Being able to evidence that you identified and responded to a critical vulnerability within 24 hours of disclosure is exactly the kind of audit trail that supports certification and, more importantly, actually reduces risk.

Making the Case to Your Directors

Three points worth putting in front of a board or senior management:

Exploitation precedes awareness. CISA confirmed cPanel exploitation before most UK businesses had even heard of the vulnerability. Waiting for your MSP’s monthly newsletter is not a patch management strategy.

Supply chain liability is real. Under UK GDPR, you are responsible for your data processors. If your accountant’s MOVEit installation is compromised and your client data is exfiltrated, the ICO will look at whether you exercised appropriate due diligence over your data processors. Asking suppliers about CVE-2026-4670 is not paranoia; it is compliance.

Cheap infrastructure is expensive when it fails. A compromised router costs nothing to replace proactively. It costs considerably more when it is the entry point for a network breach that results in ransomware, data loss, and regulatory notification obligations.

What to Do Before the End of This Week

  1. Contact your hosting provider. Ask specifically about CVE-2026-41940 in cPanel. Get a written response. If they cannot confirm patching status, escalate or consider switching providers.

  2. Ask your data processors about MOVEit. Any third party that receives, processes, or stores your data is a data processor under UK GDPR. Send a brief email asking whether they use MOVEit Automation and confirming CVE-2026-4670 patch status. Document the response.

  3. Audit your network hardware. Walk around your office. Check router model numbers. Log into admin interfaces and check firmware versions. If you have Totolink WA300 or N300RH devices, prioritise them.

  4. Check for firmware updates on all network devices. While you are auditing, check every managed switch, access point, and firewall for pending firmware updates. The Totolink story is not unique; budget network hardware across multiple brands carries similar risks.

  5. Document what you did and when. A brief record of the checks you made, the questions you asked suppliers, and the patches you applied is not bureaucracy. It is evidence that you took reasonable steps. That matters to insurers, to the ICO, and to clients who ask about your security posture.

SourceArticle
CISAKnown Exploited Vulnerabilities Catalogue
The Cyber ThroneCISA adds cPanel and Linux Kernel to KEV
The Hacker NewsProgress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass
NIST NVDCVE-2026-7719: Totolink WA300 Buffer Overflow
NIST NVDCVE-2026-7747: Totolink N300RH Buffer Overflow
NIST NVDCVE-2026-4670: MOVEit Automation Authentication Bypass
Progress SoftwareMOVEit Automation Critical Security Alert Bulletin
NCSCPatch Management Guidance
ICOContracts and liabilities between controllers and processors

Filed under

  • smb-security
  • uk-business
  • ransomware-groups
  • credential-theft
  • supply-chain-risk
  • vendor-risk
  • incident-response