You are studying for CompTIA CySA+ (CS0-003). Two CVEs land the same week. One scores 4.3 — the yellow squiggle scanners tuck below the fold. The other scores a perfect 10.0. Which do you patch first?

If your answer was “the 10.0,” you got the trick question wrong. The right answer is both, immediately — and the reason is exactly what CySA+ tests on vulnerability prioritization.

CVE-2026-32202 (Windows Shell zero-day, CVSS 4.3) and CVE-2026-41940 (cPanel auth bypass, CVSS 10.0) are both being actively exploited and both on CISA’s KEV catalog. The CVSS gap between them is the best teaching moment in 2026 for why CVSS alone is not a prioritization framework — it is one input into one.

This post walks both through the CySA+ lens: technical mechanics, CVSS breakdown, MITRE ATT&CK mapping, detection, and the exam-style reasoning that ties it together.

What CySA+ CS0-003 Tests on Vulnerability Management

Domain 2.0 (Vulnerability Management) is 30% of the CS0-003 exam — the largest single domain. You will be tested on:

  • CVSS v3.1 interpretation — reading the vector string, base/temporal/environmental metrics, and what the score does and does not measure.
  • EPSS — FIRST.org’s probabilistic model estimating the likelihood of exploitation in the next 30 days, scored 0.0 to 1.0.
  • CISA KEV — the US-government catalog of CVEs with confirmed in-the-wild exploitation, with federal patch deadlines under BOD 22-01.
  • Threat intelligence integration — MITRE ATT&CK, ISAC feeds, and vendor advisories enriching raw CVE data with adversary context.
  • Risk-based prioritization — combining the above with asset criticality, exposure, and compensating controls into a defensible patch queue.

Treat each CVE here as an exam question in real life. The exam hands you scenarios where context overrides severity. For deeper grounding on the metrics, see Reading Vulnerability Reports: CVE, CVSS, EPSS.

CVE-2026-32202: Windows Shell Zero-Day

3.1 The Vulnerability

Windows Shell is the user-facing layer of Windows — Explorer, the taskbar, file previews, shortcut handling, and the icon-rendering subsystem that processes file metadata before a user clicks anything. Shell flaws are a favored initial-access vector because users interact with files constantly.

Microsoft confirmed CVE-2026-32202 is being actively exploited. The public advisory is sparse on technical detail, but based on the disclosure pattern, this is consistent with a flaw triggered by a crafted file or shortcut that executes when opened or previewed in Explorer. CISA added it to KEV with a federal remediation deadline (BleepingComputer, April 2026).

3.2 Why CVSS 4.3

A CVSS v3.1 base score of 4.3 (Medium) reflects a vector roughly like AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N — local attack vector, low complexity, some privileges required, user interaction required, no scope change, limited confidentiality impact. Hard to reach remotely, requires user action, bounded immediate impact.

That is why scanners deprioritize it: a CVSS-ranked queue buries 4.3 below dozens of CVSS 7+ findings. The CySA+ exam will put a 4.3 in front of you and ask if you patch.

3.3 Why CISA Put It on KEV Anyway

KEV is not CVSS-based. The inclusion criteria: a CVE-ID, reliable evidence of in-the-wild exploitation, and a clear remediation action. When KEV and CVSS disagree, KEV wins — an exploited 4.3 is provably weaponized; an unexploited 9.8 is theoretical.

3.4 MITRE ATT&CK Mapping

Based on the disclosure pattern, likely techniques:

  • TA0001 Initial Access via T1566.001 Spearphishing Attachment — delivery of the crafted Shell-triggering file.
  • TA0002 Execution via T1204.002 User Execution: Malicious File.
  • TA0005 Defense Evasion via T1218 System Binary Proxy Execution — signed Microsoft binaries carry the payload.
  • T1574.001 DLL Search Order Hijacking is also plausible if Shell loads a DLL from an attacker-controlled path.

These are best-fit interpretations based on the public disclosure.

3.5 Detection Guidance

  • Windows Event ID 4688 (process creation) with command-line auditing. Look for unexpected children of explorer.execmd.exe, powershell.exe, rundll32.exe, regsvr32.exe, mshta.exe.
  • Sysmon Event ID 1 / 7 for unsigned or unusually-located DLLs loaded by Shell processes.
  • Sysmon Event ID 11 for new files in %APPDATA%, %TEMP%, or %PROGRAMDATA% preceding suspicious child processes.

For hands-on lab practice, see the Security+ Home Lab Guide.

CVE-2026-41940: cPanel Auth Bypass

4.1 The Vulnerability

cPanel & WHM is the dominant hosting control panel for shared hosting, reseller hosting, and managed WordPress, running on hundreds of thousands of internet-facing servers and providing administrative control over every site, database, mailbox, and DNS record on the host.

CVE-2026-41940 is an unauthenticated authentication bypass: an attacker reaches an HTTP endpoint, sidesteps login, and is treated as an admin. CVSS 10.0 reflects the worst-case vector — roughly AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H: network-reachable, no privileges, no user interaction, scope change to all hosted tenants, full CIA impact (BleepingComputer, April 2026).

4.2 Pre-Disclosure Exploitation

Exploitation predates the patch by roughly two months. Attackers used this as a zero-day from late February 2026; the public PoC and broad awareness arrived in late April. Any internet-reachable cPanel server during that window must be assumed compromised until proven otherwise.

The CS0-003 lesson: the patch window starts when the attacker starts using it, not when the vendor publishes.

4.3 Why Hosting Providers Care: Multi-Tenant Blast Radius

One compromised cPanel host typically holds hundreds of unrelated customer websites, every MySQL/MariaDB database backing them, SMTP credentials and stored mail, and API tokens for DNS and billing. Supply-chain potential through a single hop. For compliance angles on multi-tenant breach reporting, see the Security Compliance Cheat Sheet.

4.4 MITRE ATT&CK Mapping

  • TA0001 Initial Access via T1190 Exploit Public-Facing Application and T1133 External Remote Services.
  • TA0003 Persistence via T1078 Valid Accounts (the minted admin session) and T1136.003 Create Account: Cloud Account (new admin accounts for retained access).
  • TA0040 Impact via T1496 Resource Hijacking or T1486 Data Encrypted for Impact, depending on intent.

For foundational reference, see MITRE ATT&CK Framework Explained.

4.5 Detection Guidance

  • Unauthenticated requests to admin endpoints (/whm/, /cpanel/, /login/) returning HTTP 200 instead of 302/401.
  • POSTs to auth endpoints with empty or non-standard bodies followed by successful session establishment.
  • Account-creation events in /var/cpanel/accounting.log since late February 2026 not matching known provisioning workflows.
  • Outbound connections from hosted PHP processes to newly registered domains — a downstream webshell signal.

The CySA+ Teaching Moment: CVSS Is Not Enough

CVE triage flowchart showing CVSS score, EPSS probability, and CISA KEV status combining into LOW HIGH CRITICAL priority

Here is the side-by-side that should live in your study notes:

FactorCVE-2026-32202 (Windows Shell)CVE-2026-41940 (cPanel)
CVSS v3.1 base4.3 (Medium)10.0 (Critical)
Attack vectorLocal, requires user interactionNetwork, unauthenticated
EPSS (likely range)High — KEV listing typically corresponds to EPSS >0.7Very high — public PoC + active exploitation typically corresponds to EPSS >0.95
CISA KEV statusListed, federal patch deadlineListed, federal patch deadline
In-the-wild exploitationConfirmed, scope undisclosedConfirmed since late February 2026
Public PoC availableNo (as of disclosure)Yes, released late April 2026
Blast radius per hostSingle endpoint, user-contextEntire multi-tenant hosting environment
Naive CVSS-only triageDeprioritizedTop of queue
Risk-based triageTop of queue (KEV + active exploitation)Top of queue (KEV + PoC + multi-tenant blast radius)

The exam wants you to internalize: CVSS measures the wound, EPSS measures the likelihood of being shot, KEV measures whether bullets are already flying. A program using only one signal operates with one eye closed.

Priority = f(CVSS, EPSS, KEV, asset criticality, exposure, compensating controls)

No single weighting fits every organization — that is the point. CS0-003 tests whether you can articulate the trade-offs and defend a prioritization decision.

MITRE ATT&CK Mapping Walkthrough

MITRE ATT&CK kill chain comparison for CVE-2026-32202 Windows Shell and CVE-2026-41940 cPanel auth bypass with technique IDs

A common CS0-003 question pattern: “Given this exploitation chain, identify the technique.”

For CVE-2026-32202 (Shell zero-day): Initial access via crafted file → TA0001. Delivery → T1566.001 (Spearphishing Attachment). Execution → T1204.002 (User Execution: Malicious File). Post-exec abuse of Shell binaries → T1218 or T1574.001 depending on the primitive.

For CVE-2026-41940 (cPanel bypass): Initial access → TA0001. Exploit public-facing app → T1190 (also satisfies T1133 — admin panels are remote services). Pivot to persistence (TA0003): minted admin session → T1078 (Valid Accounts); new admin account → T1136.003.

The exam asks you to map an action to a tactic and pick the best-fit technique among four options. Practice with the ATT&CK Navigator.

Building a Detection Rule for Each (Hands-on)

These are teaching examples — they capture the shape of detection, not production-grade tuning.

Splunk SPL for CVE-2026-32202

index=endpoint sourcetype="WinEventLog:Security" EventCode=4688
| eval parent=lower(ParentProcessName), child=lower(NewProcessName)
| where parent="explorer.exe"
  AND (child="cmd.exe" OR child="powershell.exe" OR child="rundll32.exe"
       OR child="regsvr32.exe" OR child="mshta.exe" OR child="wscript.exe")
| stats count values(CommandLine) as cmdlines
        by host, ParentProcessName, NewProcessName
| where count >= 1
| sort -count

What this teaches: parent/child process anomalies are a high-fidelity signal for Shell-triggered execution. Tune by adding allowlists for known-good admin tooling (your RMM agent, your scripted deployment shells) before alerting.

Sigma Rule for CVE-2026-41940

 1title: cPanel Unauthenticated Admin Endpoint Access (CVE-2026-41940)
 2id: a1b2c3d4-cysa-2026-41940-detect
 3status: experimental
 4description: Detects unauthenticated requests to cPanel/WHM admin endpoints
 5  returning success codes, consistent with CVE-2026-41940 exploitation.
 6logsource:
 7  category: webserver
 8detection:
 9  selection_uri:
10    cs-uri-stem|contains:
11      - '/whm/'
12      - '/cpanel/'
13      - '/json-api/'
14  selection_status:
15    sc-status:
16      - 200
17      - 302
18  filter_authn:
19    cs(Cookie)|contains: 'cpsession='
20  condition: selection_uri and selection_status and not filter_authn
21falsepositives:
22  - Health checks or monitoring probes hitting admin endpoints anonymously
23level: high
24tags:
25  - attack.initial_access
26  - attack.t1190
27  - attack.t1133

What this teaches: web-log Sigma rules look at which endpoints, with what status, under what auth state. The condition expresses “successful admin response without an auth cookie” — the structural anomaly the bypass produces.

CySA+ Exam Practice Questions

Five questions. Mix of difficulty. Answers and explanations below.

Question 1. A new CVE published this morning carries a CVSS v3.1 base score of 4.3 and is listed on the CISA KEV catalog. A separate CVE from last week scores 9.1 on CVSS but is not on KEV and has no public PoC. Which should the SOC patch first?

A. The 9.1 CVE, because higher CVSS indicates higher severity. B. The 4.3 CVE, because KEV listing indicates confirmed in-the-wild exploitation. C. Both at the same time. D. Neither — wait for vendor recommendations.

Question 2. A vulnerability has CVSS 10.0 but EPSS 0.02. What is the most likely interpretation?

A. The EPSS score is wrong; CVSS is the authoritative metric. B. The vulnerability is severe if exploited but currently has low predicted exploitation probability. C. The vulnerability has been patched and EPSS reflects that. D. CVSS and EPSS measure the same thing, so the data is contradictory.

Question 3. CVE-2026-41940 is being exploited in the wild. An attacker uses the auth bypass to mint an admin session, then creates a new administrative account on the cPanel host. Which two MITRE ATT&CK techniques best describe this sequence?

A. T1190 (Exploit Public-Facing Application) and T1136 (Create Account) B. T1059 (Command and Scripting Interpreter) and T1078 (Valid Accounts) C. T1566 (Phishing) and T1204 (User Execution) D. T1486 (Data Encrypted for Impact) and T1490 (Inhibit System Recovery)

Question 4. Your vulnerability scanner outputs the following for two findings on the same internet-facing server:

  • Finding A: CVE-2026-32202, CVSS 4.3, KEV-listed, EPSS 0.71
  • Finding B: CVE-2024-XXXXX, CVSS 9.8, not on KEV, EPSS 0.04

Which finding has the strongest argument for emergency patching?

A. Finding A — KEV plus elevated EPSS plus internet exposure indicates active exploitation risk despite the lower CVSS. B. Finding B — CVSS 9.8 always wins over CVSS 4.3. C. Neither — CVSS below 7 should not trigger emergency response. D. Both equally — CVSS is the only metric that matters.

Question 5. A SOC analyst writes a Sigma rule to detect post-exploitation activity for CVE-2026-41940. The rule fires on parent_process=httpd, child_process=bash, command_contains=wget. Which MITRE technique most directly maps to what this rule detects?

A. T1190 (Exploit Public-Facing Application) B. T1059.004 (Command and Scripting Interpreter: Unix Shell) C. T1078 (Valid Accounts) D. T1486 (Data Encrypted for Impact)

Answers:

  1. B. KEV indicates confirmed in-the-wild exploitation — the strongest signal regardless of CVSS. The 9.1 with no PoC and no KEV is theoretical; the 4.3 on KEV is provably weaponized.

  2. B. CVSS measures intrinsic severity; EPSS measures 30-day exploitation probability. They answer different questions and can legitimately diverge.

  3. A. T1190 covers the initial exploitation of the public-facing HTTP interface; T1136 covers creating the new admin account. T1078 is also defensible but T1136 is more precisely tied to the action described.

  4. A. Internet exposure + KEV + EPSS 0.71 = active, weaponized risk. CVSS 9.8 with EPSS 0.04 and no KEV is worse-on-paper, less-urgent-in-practice.

  5. B. httpd → bash → wget describes post-exploitation command execution — a webshell or RCE primitive spawning a Unix shell to fetch payloads. T1059.004 is the precise mapping; T1190 is the preceding initial-access step, not what this rule fires on.

What This Means for Your Study Plan

Real CVEs beat canned exam-prep questions because they force you to combine signals. Use this systematically:

  1. Pick a fresh KEV addition each week. Pull the CVE, read the NVD entry, look up EPSS, map to ATT&CK, and write a 200-word triage memo.
  2. Practice the vector string. Open the FIRST.org CVSS calculator. Build the vector for both CVEs above, then change one metric at a time and watch the score move.
  3. Use ATT&CK Navigator. Build a layer per CVE — pin techniques, color-code by tactic.
  4. Read detection rules from Sigma’s open repo, Microsoft’s KQL hunts, and Splunk Security Content. Pattern recognition is testable.

Resources: NVD, CISA KEV, FIRST EPSS, ATT&CK Navigator, CISA BOD 22-01.

CySA+ is a stepping stone. The muscles you build for CS0-003 carry into Security+, PenTest+, CASP+, and the SOC job the cert qualifies you for. Both CVEs here will look quaint by exam day — but the reasoning pattern stays current as long as CVSS, EPSS, and KEV exist.

🎯 Studying for CCIE Security?

Practice with free flashcards, quizzes, and hands-on lab scenarios at cciesec.it-learn.io — built specifically for the CCIE Security v6.1 written (350-701 SCOR) and lab exam.