CISA confirmed active exploitation of a Linux kernel zero-day today, a mass compromise campaign against cPanel servers crossed the 40,000-server mark, and a Microsoft Defender signature update is breaking TLS across Windows environments. All three stories demand action this week — two of them demand action today.

In the News

Linux Kernel Zero-Day CVE-2026-31431 Exploited in the Wild for Root Access

CISA added CVE-2026-31431 to the Known Exploited Vulnerabilities (KEV) catalog on May 4, 2026, after confirming active exploitation targeting Linux systems. The vulnerability resides in the kernel’s authencesn cryptographic template — a component of the kernel’s crypto subsystem used for authenticated encryption with sequence numbers. Successful exploitation gives a local attacker root-level privilege escalation.

The flaw carries a CVSS 7.8 score. A public proof-of-concept exploit has been circulating since May 3, which collapses the window between disclosure and widespread exploitation to hours. The practical impact extends well beyond Linux workstations: every Linux-based network appliance — next-gen firewalls, network detection and response sensors, SD-WAN controllers, DNS resolvers, container hosts — runs a kernel that may be vulnerable. Appliance vendors often ship kernel updates on their own cadence, meaning the upstream patch availability does not equal appliance patch availability.

The KEV listing triggers a federal mandate for civilian agencies to patch within the prescribed timeline. For private-sector organizations, the KEV addition should be treated as the strongest possible signal that exploitation is not theoretical — it is happening now.

What defenders should do: Patch the kernel on all Linux systems immediately. For appliance-based Linux (firewalls, SD-WAN, NDR), check vendor advisories independently — do not assume the upstream kernel fix has been incorporated. If a patch is not yet available for a specific appliance, apply vendor-recommended mitigations or isolate the device from untrusted network access. Ensure vulnerability management platforms are ingesting KEV additions in real time, not on a scheduled scan cadence. Monitor for local privilege escalation indicators: unexpected uid=0 process creation, anomalous setuid calls, and kernel module loading from non-standard paths.

MITRE ATT&CK: T1068 — Exploitation for Privilege Escalation

Source: BleepingComputer

40,000+ cPanel Servers Compromised in Ongoing CVE-2026-41940 Campaign

The mass exploitation of CVE-2026-41940 in cPanel and WHM has now reached over 40,000 confirmed compromised servers, according to updated reporting from SecurityWeek. The vulnerability was disclosed and patched on April 30 — attackers have been moving faster than defenders, compromising servers at scale within four days of patch availability.

Targets are concentrated in Southeast Asia and include government agencies, military-affiliated infrastructure, and managed service providers. The shared-hosting architecture that cPanel manages creates an outsized blast radius: a single compromised cPanel instance provides the attacker with administrative access to every tenant on that server. This is not a web application vulnerability — it is a management plane compromise. The attacker does not need to exploit each hosted site individually; they control the infrastructure layer.

The campaign’s focus on MSPs is particularly concerning. An MSP’s cPanel environment may host dozens or hundreds of customer domains. Compromising the MSP’s management plane gives the threat actor access to all downstream customers simultaneously — a supply chain compromise through hosting infrastructure.

What defenders should do: Update cPanel/WHM to the April 30 patch immediately. Post-patch, audit for indicators of prior compromise: webshells in /usr/local/cpanel/ directories, unauthorized SSH keys, cron jobs with external callbacks, and new cPanel accounts created during the exploitation window (April 30 – present). For shared-hosting environments, review cross-tenant access controls and verify that tenant isolation is enforced at the filesystem and process level, not just at the application layer.

MITRE ATT&CK: T1190 — Exploit Public-Facing Application, T1078 — Valid Accounts (post-compromise tenant pivoting)

Source: SecurityWeek

Microsoft Defender False Positives Flag DigiCert Root Certificates as Malware

A faulty Microsoft Defender signature update is classifying legitimate DigiCert root certificates as Trojan:Win32/CerDigentAdHA, triggering certificate quarantine actions across Windows environments. The downstream effects include TLS handshake failures, VPN client disconnects, broken firewall and appliance management console access, and application crashes for any software that validates against the affected DigiCert root.

Microsoft has not issued a signature rollback as of publication. The current workaround requires manual exclusion of the DigiCert certificate hashes in Defender’s allowed list or a Defender policy override through Group Policy or Intune. For environments that manage Defender signatures centrally, pushing the exclusion across the fleet is straightforward; for environments without centralized Defender management, this is a per-machine remediation — which does not scale.

The incident is a reminder that endpoint protection platforms are themselves a single point of failure for trust decisions. When Defender decides a root CA certificate is malicious, every TLS connection that chains to that root breaks. The certificate is not compromised; the detection is wrong. But the operational impact is identical to what a real certificate compromise would cause.

What defenders should do: If Windows systems are experiencing unexpected TLS failures, VPN drops, or management console errors as of May 4, check Defender’s quarantine log for Trojan:Win32/CerDigentAdHA detections. Apply the DigiCert root certificate hash exclusion in Defender. Monitor Microsoft’s Security Intelligence portal for a signature update that corrects the false positive. For organizations running multiple endpoint protection layers, verify that the secondary layer did not cascade the same false-positive classification.

Source: BleepingComputer

Today’s Deep Dive — Linux Kernel Privilege Escalation and the Appliance Blind Spot

CVE-2026-31431 is a local privilege escalation, which means it requires an attacker to already have code execution on the target system. That makes it a second-stage exploit — but in practice, this is exactly the kind of vulnerability that transforms a low-privilege foothold into full root control. Initial access through a web application vulnerability, a compromised container, or a stolen SSH key becomes a root compromise the moment the attacker lands on an unpatched kernel.

The authencesn template is part of the kernel’s cryptographic API, used for IPsec and other authenticated encryption operations. The vulnerability is a memory corruption issue triggered during sequence number processing. The public PoC demonstrates reliable root escalation on kernels shipped with major distributions between late 2025 and the patch date. The exploit does not require unusual kernel configurations or non-default modules — it works on standard installations.

The appliance blind spot is the real operational risk. Organizations that patch their Linux server fleet promptly may not realize that their Palo Alto firewall, their Fortinet appliance, their Arista switch, or their Kubernetes node operating system all run Linux kernels on their own update schedules. These devices are often excluded from vulnerability management scans because they do not run a standard agent. The result: the kernel is patched on servers within days, but the firewall protecting those servers runs a vulnerable kernel for weeks or months.

Detection signal: Monitor for local privilege escalation indicators on Linux systems. The key signals are:

  • Process creation with uid=0 by a parent process running as a non-root user
  • setuid system calls from processes not in an approved list
  • Kernel module loading (insmod, modprobe) from non-standard paths (e.g., /tmp/, /dev/shm/, user home directories)
  • Unexpected modifications to /etc/passwd, /etc/shadow, or /etc/sudoers

MITRE ATT&CK: T1068 — Exploitation for Privilege Escalation, T1611 — Escape to Host (container escape scenarios)

Detection Spotlight

The following Splunk SPL query identifies potential Linux privilege escalation by detecting processes that transition to uid=0 from a non-root parent. This catches exploitation of CVE-2026-31431 and similar local privilege escalation vulnerabilities. Tune the NOT clause for legitimate setuid binaries in your environment (e.g., sudo, su, pkexec).

index=linux_audit sourcetype=linux:audit
action=EXECVE OR action=SYSCALL
uid=0
| eval parent_uid=coalesce(ppid_uid, "unknown")
| where parent_uid!="0" AND parent_uid!="unknown"
| search NOT [ | inputlookup approved_setuid_binaries.csv | fields process_name ]
| stats count earliest(_time) AS first_seen latest(_time) AS last_seen values(process_name) AS processes BY host, parent_uid
| where count > 0
| sort - count

This query requires Linux auditd data ingested into Splunk. False positive rate depends on the quality of the approved_setuid_binaries.csv lookup — populate it with legitimate setuid binaries before deploying. Expect initial tuning noise from cron jobs and system services that legitimately escalate privileges.

References

Subscribe to the it-learn Brief

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.