Krypteia Sec
Back to Threat Intel
TLP:CLEARCTI-2026-0501

Daily Threat Intelligence Brief - May 1, 2026

May 1, 202615 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

Executive Summary

  • CISA added CVE-2026-41940 (cPanel & WHM, WP Squared) to the Known Exploited Vulnerabilities catalog on April 30, 2026, after evidence the missing-authentication flaw was exploited for months before the patch.
  • Microsoft SharePoint zero-day CVE-2026-32201 remains unpatched on more than 1,300 internet-exposed servers despite the April Patch Tuesday fix and a CISA federal remediation deadline of April 28, 2026.
  • The Vercel security incident on April 19, 2026 traced back to a Lumma Stealer infection at third-party tool Context.ai in February, illustrating how a single AI integration can cascade into a multi-org supply-chain breach now offered for $2M on BreachForums.
  • Anthropic Model Context Protocol (MCP) carries a by-design flaw that lets unsanitized commands execute silently, exposing more than 200,000 AI agent servers and producing 14+ CVEs and 30+ remote code execution issues across flagship AI tools in April.
  • Fortinet FortiClient EMS pre-authentication API bypass CVE-2026-35616 (CVSS 9.1) was actively exploited from at least March 31, 2026, days before Fortinet shipped the emergency hotfix on April 4 and CISA added it to KEV on April 6.
  • Iranian-affiliated APT activity, escalating since March 2026, has moved past collection into direct manipulation of Rockwell Automation Allen-Bradley PLCs across US water, energy, and government facilities, causing operational disruption and financial loss.
  • April 2026 logged 166 ransomware victims across 42 countries claimed by 36 leak-site operators, with marquee hits on Rockstar Games (ShinyHunters), Carnival/Holland America (8.7 million records), Autovista, and Booking.com.
  • Indirect prompt injection has crossed the threshold into in-the-wild use, with a 32% relative increase in malicious web payloads between November 2025 and February 2026 and the first documented commercial-platform incidents (ad-review evasion, system-prompt leakage).
  • 73% of production AI deployments remain vulnerable to prompt injection, and the previously theoretical "lethal trifecta" (private data + untrusted content + external action) is now a default deployment shape for many agent stacks.

Critical Vulnerabilities

CVE-2026-41940: cPanel & WHM, WP Squared, Missing Authentication for Critical Function

A pre-authentication flaw in WebPros cPanel & WHM and WP Squared lets unauthenticated remote attackers reach a critical management function and gain unauthorized access to the control panel. CISA added it to KEV on April 30, 2026, following evidence that the bug had been exploited for months before the vendor patch shipped. Hosting environments running cPanel are still the soft underbelly of mid-market web infrastructure, and full plane-of-control compromise is the realistic worst case.

Field Value
CVE CVE-2026-41940
Vendor / Product WebPros cPanel & WHM, WP Squared
Class Missing Authentication for Critical Function
Exploitation Active, months before patch
KEV Added 2026-04-30
Action Patch immediately, audit cPanel logs back to early Q1 2026

Sources:

CVE-2026-32201: Microsoft SharePoint Server Spoofing

CVE-2026-32201 is a network-reachable, no-auth, no-interaction spoofing flaw in SharePoint stemming from improper input validation. Confidentiality and integrity impacts are both rated, opening the door to credential phishing inside trusted SharePoint surfaces and silent content tampering. CISA placed a federal remediation deadline of April 28, 2026, yet more than 1,300 SharePoint Servers remain unpatched on the public internet.

Field Value
CVE CVE-2026-32201
Vendor / Product Microsoft SharePoint Server 2016, 2019, Subscription Edition
CVSS 6.5
Class Improper Input Validation, Spoofing
Exploitation Active in the wild, 1,300+ servers still exposed
KEV Deadline 2026-04-28

Sources:

CVE-2026-35616: Fortinet FortiClient EMS Pre-Authentication API Bypass

A critical access-control flaw in the FortiClient Endpoint Management Server API lets attackers bypass authentication entirely with crafted requests, ending in code execution on the underlying server. watchTowr observed in-the-wild exploitation on March 31, 2026, four days before Fortinet's advisory on April 4. CISA added it to KEV on April 6, 2026.

Field Value
CVE CVE-2026-35616
Vendor / Product Fortinet FortiClient EMS 7.4.5, 7.4.6
CVSS 9.1
Class Improper Access Control, Auth Bypass
Exploitation Active since at least 2026-03-31
KEV Added 2026-04-06

Sources:

CVE-2026-33825: Microsoft Defender Local Privilege Escalation ("BlueHammer")

Disclosed publicly with a working PoC on April 7, 2026, this TOCTOU race condition in Defender's threat remediation engine lets an attacker redirect file operations through filesystem manipulation, ending in local privilege escalation. The PoC nicknamed "BlueHammer" lowers the bar for ransomware operators chaining initial access into SYSTEM.

Field Value
CVE CVE-2026-33825
Vendor / Product Microsoft Windows Defender
Class TOCTOU Race, Local Privilege Escalation
PoC Public ("BlueHammer") since 2026-04-07
Exploitation PoC public, exploitation expected imminently

Sources:

CVE-2026-33827 and CVE-2026-33824: Windows TCP/IP and IKE RCE

Microsoft's April 2026 Patch Tuesday addressed 163 CVEs, eight of them critical. Two stand out for blast radius: CVE-2026-33827 is a critical unauthenticated RCE in the Windows TCP/IP stack triggered by a race condition, and CVE-2026-33824 is a critical RCE in the IKE service extensions, both rated CVSS 9.8. Either flaw, weaponized, would put network-reachable Windows hosts at risk without authentication or user interaction.

Sources:

AI Security Threats

April 2026 was the month agentic AI security stopped being theoretical. Three threads converged: a structural MCP vulnerability with a six-figure exposed-asset count, the first major supply-chain breach traced to an AI integration, and field evidence that indirect prompt injection has crossed the threshold from lab toy to commercial-platform threat.

MCP: The Agentic Frontier Becomes the Attack Surface

Researchers documented a "by-design" flaw in Anthropic's Model Context Protocol that allows unsanitized commands to execute silently across widely deployed AI environments. The aggregated impact across the ecosystem in April: more than 14 CVEs, more than 30 remote-code-execution issues across flagship AI tools, and an estimated 200,000+ exposed AI agent servers reachable for takeover. The attack patterns now have names: schema poisoning, tool poisoning, rug pulls, and cross-server shadowing. The mechanism is consistent: an attacker poisons a data source the agent reads, the agent processes the poisoned input, the input manipulates the agent's MCP configuration, and the configuration triggers command execution on the host.

Why this matters: MCP servers run with the union of every tool's permissions, often locally on developer machines or inside production CI. The blast radius from a single poisoned tool description is the same as the blast radius from a malicious npm postinstall script in 2019, except the agent is now choosing when to run it.

Sources:

Indirect Prompt Injection in the Wild

Unit 42 documented the first large-scale indirect prompt injection campaigns in production environments in March 2026, including ad-review evasion and system-prompt leakage on live commercial platforms. Tracking from late 2025 to early 2026 shows a 32% relative increase in malicious indirect-prompt-injection payloads on the open web. Prompt injection is still OWASP's number-one LLM application risk in 2026, and the field data backs it up: 73% of production AI deployments remain vulnerable.

Sources:

CVE-2025-53773: GitHub Copilot RCE via Pull Request Description

Hidden prompt injection embedded in pull request descriptions enabled remote code execution through GitHub Copilot, scored CVSS 9.6. The pattern matters more than the score: any agentic developer tool that reads untrusted text and has tool-use access is now a candidate for the same chain. Code review, IDE assistants, and CI summarizers all share the architecture.

Sources:

The Lethal Trifecta Goes Mainstream

Multi-turn jailbreaks are now the preferred attack vector against frontier models. Multimodal injections (images, QR codes, steganographic payloads) have matured. Cross-model transfer is real: jailbreaks succeeding on GPT-4 transfer to Claude 2 in 64.1% of measured cases. The combination, private data plus untrusted content plus external action, is now the default architecture of most agent deployments. Defenses that worked on single-turn text injections do not stop multi-turn multimodal payloads against agents wired to email, browsers, and code execution.

Sources:

Vercel Breach: Context.ai Becomes the AI Supply Chain's First Public Cascade

On April 19, 2026, Vercel disclosed a security incident traced to a compromise of Context.ai, a third-party AI tool used by a Vercel employee. The chain: a Context.ai employee was infected with Lumma Stealer in February 2026, the attacker pivoted into the employee's Vercel-linked Google Workspace account, then into the Vercel environment, then enumerated and decrypted non-sensitive environment variables. Vercel coordinated with GitHub, Microsoft, npm, and Socket and confirmed no Vercel-published npm packages were tampered with. Even so, the breach may affect "hundreds of users across many organizations," and the stolen Vercel database was offered for sale at $2M on BreachForums.

The lesson is not that Context.ai was uniquely insecure. It is that AI integrations now sit inside the same trust circle as production identity providers, and the customary AI procurement diligence does not yet match that posture.

Sources:

Threat Actor Activity

Iranian-Affiliated APTs Targeting US Critical Infrastructure

CISA, FBI, NSA, and partner agencies issued advisory AA26-097A on April 7, 2026, naming an Iranian-affiliated APT group conducting ongoing cyber exploitation of internet-facing operational technology, including Rockwell Automation Allen-Bradley PLCs deployed across US water, wastewater, energy, transportation, and government facilities. The activity has been observed since at least March 2026 and has produced confirmed operational disruption and financial loss at multiple victims. Trellix and Reversing Labs both note the campaign represents a posture shift from collection toward direct manipulation of SCADA and HMI control surfaces, the kind of behavior previously associated with Sandworm.

Actor Targets TTP Highlights
Iranian APT (TBD) US WWS, energy, transport, government, DIB Internet-exposed PLC compromise, OT impact
Sandworm Industrial control systems globally Reference profile for OT manipulation

Sources:

ShinyHunters: From Data Broker to Ransomware Operator

ShinyHunters, historically a data-trading collective, claimed credit for the Rockstar Games ransomware incident this month, signaling a continued operational shift toward end-to-end extortion rather than pure brokerage. Expect continued targeting of high-brand consumer companies for the leverage their public visibility brings.

Sources:

Ransomware and Data Breaches

April 2026 attribution data shows 166 named ransomware victims across 42 countries, claimed by 36 distinct leak-site operators. The headline incidents skew toward consumer brands, AI-adjacent infrastructure, and analytics providers.

Date Victim Sector Notes
2026-04-12 Booking.com Travel Reservation, contact, and address data exposed
2026-04-19 Vercel Cloud / Dev Tools Compromise via Context.ai, DB offered at $2M on BreachForums
2026-04-20 BePrime Fintech 12.6 GB leak, plaintext creds, audit reports, surveillance access
April 2026 Rockstar Games Gaming ShinyHunters ransomware
April 2026 Carnival, Holland Am. Travel / Cruise 8.7 million records exposed, ransomware confirmed
April 2026 Autovista Auto Data Analytics EU + AU systems disrupted, downstream Eurotax, Schwacke, Glass's hit
Metric Value
Named victims (April 2026) 166
Countries hit 42
Active leak-site operators 36

Sources:

Recommended Actions

Immediate (within 24 hours)

  • Patch CVE-2026-41940 on every cPanel and WHM host. Audit the cPanel control plane and authentication logs back to early Q1 2026 for unauthorized account creation, key changes, and unfamiliar API calls.
  • Apply the SharePoint update for CVE-2026-32201. If you cannot patch immediately, block external access to SharePoint web frontends and review SharePoint access logs for spoofed-content delivery to internal users.
  • Confirm FortiClient EMS is on the hotfix line for CVE-2026-35616. Pull EMS API access logs from March 25, 2026 forward and look for unauthenticated API access attempts.
  • Inventory every MCP server and AI agent tool integration in production and developer environments. Treat any MCP server that accepts data from outside the trust boundary as untrusted code execution until proven otherwise.

Short-Term (within 30 days)

  • Stand up patch coverage for the eight critical April Patch Tuesday CVEs, with priority on CVE-2026-33827 (Windows TCP/IP RCE) and CVE-2026-33824 (Windows IKE RCE), both CVSS 9.8.
  • Run a tabletop on the BlueHammer pattern (CVE-2026-33825) chained with any commodity initial-access vector. The PoC is public, weaponization is the question of weeks, not months.
  • Audit every third-party AI tool in your environment the way you would audit an identity provider. Inventory what data each tool reads, what credentials it holds, what tokens it can mint, and which employees connected it.
  • For OT-adjacent environments, follow CISA AA26-097A and pull internet-exposed PLCs behind a network boundary with strong authentication. Replace default credentials, enable logging, and validate physical-process safeguards independent of the control network.

Strategic (this quarter)

  • Adopt a written policy that AI agent integrations are subject to the same procurement, security review, and offboarding controls as SaaS identity integrations. The Vercel and Context.ai chain is the proof point.
  • Build an indirect-prompt-injection threat model for every agent that touches untrusted input (web pages, email, customer documents, search results) and has tool-use access (browser, code execution, internal APIs, identity actions).
  • Treat the lethal trifecta (private data + untrusted content + external action) as a deployment anti-pattern. Where it cannot be avoided, isolate the three legs across distinct agents with explicit, auditable handoffs.
  • Push your MCP and agent vendors for signed tool descriptions, capability allowlists, per-tool credential scoping, and rug-pull-resistant install pipelines. Treat any vendor that cannot answer those questions as a future incident.

Sources