Daily Threat Intelligence Brief - May 6, 2026
Executive Summary
- CISA added CVE-2026-31431 ("Copy Fail"), a Linux kernel local privilege escalation flaw in the AF_ALG crypto interface, to the Known Exploited Vulnerabilities catalog on May 1, 2026, with a federal patch deadline of May 15, 2026. The flaw enables root on virtually every distribution shipping kernels from 2017 onward, including Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16.
- CVE-2026-41940, a critical authentication bypass in cPanel and WHM (CVSS 9.8), is being weaponized against government and MSP networks. Roughly 1.5 million internet-exposed cPanel instances remain in scope. Evidence shows in-the-wild exploitation as early as February 23, 2026, more than two months before public disclosure on April 28, 2026.
- OX Security disclosed a "by-design" arbitrary command execution flaw in Anthropic's Model Context Protocol (MCP) reference SDKs that affects more than 200,000 deployed servers and over 7,000 public packages totaling 150 million downloads, posing a systemic AI agent supply-chain risk.
- Salt Typhoon, the China-linked telecom-targeting APT, remains active per FBI guidance issued in February 2026, with a confirmed January 2026 intrusion into U.S. House Committee staff email accounts focused on national security.
- Iranian APT activity targeting Rockwell Automation Allen-Bradley PLCs in U.S. energy, water, and government environments has caused real disruption, including HMI and SCADA tampering.
- APT36 became the first publicly documented nation-state actor to operate AI as a polymorphic malware assembly line, accelerating variant production. The fastest 2026 campaigns are now reaching exfiltration in 72 minutes, four times faster than 2025.
- Qilin ransomware claimed responsibility for a breach of General Hardware on May 5, 2026, and remained the highest-volume ransomware operator globally as of Q1 2026, followed by The Gentlemen.
- OWASP continues to rank prompt injection (LLM01) as the top GenAI risk for 2026, with researchers documenting the first large-scale indirect prompt injection attacks in the wild during March 2026.
Critical Vulnerabilities
CVE-2026-31431: Linux Kernel "Copy Fail" Local Privilege Escalation
A logic bug in the Linux kernel's algif_aead AEAD socket interface (AF_ALG) lets an unprivileged local user perform a deterministic 4-byte write into the page cache of any readable file, which the attacker chains into in-memory replacement of executable bytes for a privileged process to escalate to root. CVSS 7.8. CWE-699 (Incorrect Resource Transfer Between Spheres). Researchers at Theori and Xint published a 732-byte Python proof-of-concept that produces root on Ubuntu, Amazon Linux, RHEL, and SUSE without races, retries, or kernel modules.
Kernel scope: every kernel from 2017 onward until patched. Fixes shipped in 6.18.22, 6.19.12, and 7.0. Distribution updates are available from Ubuntu, AlmaLinux, CloudLinux, and SUSE.
Risk profile: highest in containerized and multi-tenant environments. The exploit needs no kernel modules and no network access, making it a near-ideal post-exploitation primitive in Kubernetes clusters and Docker CI runners.
CISA KEV: added May 1, 2026. FCEB remediation deadline May 15, 2026.
CVE-2026-41940: cPanel and WHM Authentication Bypass
CVSS 9.8 authentication bypass caused by CRLF injection in the login and session-loading flow of cPanel and WHM. An unauthenticated attacker injects crafted lines into a pre-authentication session file. When cpsrvd re-parses the file, the injected lines become top-level entries (including user=root), promoting the session to a fully authenticated root session without password or 2FA.
Affected versions: all supported cPanel and WHM releases after 11.40, plus WP Squared. Patched in 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5.
Exposure: internet scans identified roughly 1.5 million internet-facing cPanel instances. Exploitation in the wild predates public disclosure by approximately two months.
Mitigation: patch immediately. If patching cannot occur, block inbound 2083, 2087, 2095, and 2096 at the perimeter and rotate any credentials reachable from the cPanel host.
Anthropic MCP Reference SDK: Arbitrary Command Execution by Design
OX Security researchers reported in May 2026 that Anthropic's MCP reference implementation, across Python, TypeScript, Java, and Rust SDKs, executes operating system commands via the default STDIO transport without sanitization or validation. Any server or client built directly on the reference SDK inherits arbitrary command execution behavior. Roughly 200,000 deployed MCP servers and more than 7,000 public packages (150 million combined downloads) are affected.
Why it matters: MCP is the connective tissue between LLM agents and local tooling. A weaponized MCP server, or a manipulated marketplace package, can hand an agent the ability to issue host commands without privilege boundaries. This is a supply-chain class issue, not a single bug.
Recommended controls: deprecate unsanitized STDIO connectors, sandbox commands at the protocol layer, and require marketplace verification or signing of MCP packages before allowing agent installation.
Other Notable CVEs
- CVE-2026-39808 (Fortinet FortiSandbox 4.4.0 to 4.4.8): unauthenticated OS command injection via crafted HTTP requests. Patched in the April 14, 2026 PSIRT bundle.
- CVE-2026-35616 (Fortinet FortiClient EMS): improper access control, CVSS 9.1, unauthenticated code execution.
- CVE-2026-24858 (Fortinet FortiCloud SSO): authentication bypass disclosed in 2026 with familiar regression patterns to prior FortiCloud incidents.
AI Security Threats
The 2026 AI security picture is defined by three structural problems: prompt injection that the underlying model architecture cannot fully solve, agentic tool-use frameworks like MCP that hand attackers a supply chain, and nation-state operators using LLMs to industrialize malware production. None of these are theoretical anymore.
Prompt Injection at Production Scale
OWASP retains LLM01 (Prompt Injection) as the top GenAI risk for 2026. The UK National Cyber Security Centre stated in late 2025 that prompt injection "may be a problem that is never fully fixed" because LLMs cannot reliably distinguish instructions from data at the model level. In March 2026, Unit 42 documented the first large-scale indirect prompt injection campaigns observed in the wild, including ad-review evasion and system prompt leakage on live commercial platforms. Around the same period, a major incident targeting multiple Mexican federal government systems involved an attacker using Claude to identify vulnerabilities across agencies, validating the operational risk of LLM-assisted offensive workflows.
CVE-2025-53773, disclosed in 2026 with a CVSS of 9.6, demonstrated that hidden prompt injection in pull request descriptions could trigger remote code execution through GitHub Copilot. The vulnerability illustrates the recurring pattern: untrusted text reaches a context window, the model treats it as instruction, and a connected tool turns instruction into action.
MCP and Agent Supply Chain
The MCP design flaw described above is the most consequential agentic AI disclosure of the year so far. Beyond the reference SDK issue, researchers continue to document MCP-specific attack classes including tool poisoning (a malicious tool description that hijacks an agent's intent), schema confusion, and hidden tool selection across competing servers. The "lethal trifecta" framing (untrusted input, sensitive data access, and external action capability) maps directly onto how most production agents are built today.
Agent Hardening Priorities for May 2026
- Deny network egress from agent runtimes by default. Allow-list outbound destinations on a per-tool basis.
- Treat every retrieved document, web page, email, and ticket as untrusted user input regardless of source.
- Run agent tools in least-privilege sandboxes. Strip ambient credentials. Require explicit signing of any MCP package before installation.
- Log every tool call with structured arguments. Alert on first-time tool invocations and anomalous argument shapes.
- Separate the agent's "plan" channel from its "execute" channel. Require human or policy approval for irreversible actions.
AI Used for Offense by Nation States
APT36, per industry reporting, is the first nation-state actor publicly tied to using AI as a continuous malware assembly line, producing polymorphic variants on demand. The broader 2026 trend is convergence: nation-state actors operate with cybercriminal tradecraft, criminal infrastructure is leveraged for espionage, and AI shortens the time between intent and capability. Defenders should plan for shorter dwell times. The fastest campaigns of 2026 are reaching exfiltration in 72 minutes from initial access.
Threat Actor Activity
Salt Typhoon (China, MSS-linked)
Salt Typhoon has compromised more than 200 targets in over 80 countries between 2023 and 2026 across telecommunications, government, and critical infrastructure. The group breached major U.S. carriers in 2024 and continued operating against Western government targets through 2025 and 2026. The FBI confirmed in February 2026 that Salt Typhoon operations remain active. In January 2026, the group successfully accessed email accounts belonging to U.S. House Committee staff working on national-security-related committees. Initial access continues to rely heavily on basic configuration errors and unpatched known CVEs at the network edge.
Volt Typhoon (China)
Volt Typhoon remains focused on pre-positioning inside U.S. critical infrastructure. The group's stated objective, per U.S. and Australian government assessments, is to maintain options for disruptive action against communications and energy infrastructure during a future Taiwan crisis. ASIO publicly identified both Volt Typhoon and Salt Typhoon as active against Australian critical infrastructure in late 2025, and that posture continues into 2026.
Iranian APT Activity
A campaign by Iranian APT actors against programmable logic controllers, particularly Rockwell Automation Allen-Bradley devices, continues to disrupt energy, water, wastewater, and government facilities in the United States. Observed activity includes manipulation of PLC project files and tampering with HMI and SCADA displays. Exposed PLCs reachable from the public internet remain the dominant entry vector.
APT36
APT36 is the first publicly documented nation-state actor to use AI to industrialize polymorphic malware variant production. The operational implication for defenders is that signature-based and family-based detection erodes faster, and behavior-based detection (process lineage, syscall sequences, network fingerprints) becomes the load-bearing control.
Ransomware and Data Breaches
Ransomware activity in Q1 2026 held flat quarter-over-quarter and year-over-year, but at the elevated baseline established in late 2025. Volume is no longer the headline. Speed and target selection are.
Top Active Ransomware Operators (Q1 2026)
| Rank | Group | First Seen | Notable Targeting |
|---|---|---|---|
| 1 | Qilin | 2024 | Healthcare, manufacturing, MSP |
| 2 | The Gentlemen | 2025 | Mid-market enterprise |
| 3 | RansomHub | 2024 | Cross-sector double extortion |
| 4 | Akira | 2023 | VPN-edge initial access |
| 5 | Play | 2022 | Critical infrastructure |
Recent and Ongoing Incidents
| Date | Victim | Actor | Status |
|---|---|---|---|
| 2026-05-05 | General Hardware | Qilin | Claimed on leak site |
| 2026-04-xx | Multi-MSP wave | Unknown | cPanel CVE-2026-41940 abuse |
| 2026-04-xx | U.S. PLC sites | Iran APT | Disruption, HMI tampering |
| 2026-01-xx | U.S. House staff | Salt T. | Email access, ongoing review |
Healthcare reporting volume remains elevated. Between September 1, 2025 and January 31, 2026, an average of 47 healthcare breach notifications were filed per month with HHS OCR. Operators with healthcare focus, especially Qilin, account for a disproportionate share of the disclosure tail.
Recommended Actions
Immediate (next 24 to 72 hours)
| Priority | Action |
|---|---|
| P0 | Patch CVE-2026-31431 on all Linux hosts. Prioritize multi-tenant and CI/CD runners. |
| P0 | Patch cPanel and WHM to fixed builds for CVE-2026-41940 or block 2083, 2087, 2095, 2096. |
| P0 | Audit any MCP servers in use. Pin to patched SDK builds or disable STDIO transport. |
| P1 | Pull credentials usable from cPanel hosts. Rotate API keys and SSH material. |
| P1 | Review egress allow-lists on AI agent runtimes. Default-deny outbound. |
Short-Term (next 7 to 30 days)
| Priority | Action |
|---|---|
| P1 | Apply Fortinet April 14, 2026 PSIRT bundle including FortiSandbox and FortiClient EMS. |
| P1 | Hunt for indicators of cPanel session-file tampering since February 23, 2026. |
| P2 | Inventory all production LLM applications. Map untrusted-input surfaces to tools. |
| P2 | Add tool-call logging and first-time tool-use alerting in agent telemetry. |
| P2 | Scan internet-facing PLCs and OT assets. Remove direct exposure where possible. |
Strategic (next 60 to 180 days)
| Priority | Action |
|---|---|
| P2 | Adopt MCP package signing and marketplace verification before agent installation. |
| P2 | Move detection engineering toward behavior-based signals to counter AI-built malware. |
| P3 | Run prompt-injection red team exercises against every production AI workflow. |
| P3 | Build a tested runbook for nation-state intrusion in telecom and email infrastructure. |
| P3 | Establish a quarterly review of edge devices (VPN, firewall, MFT, PLCs) for KEV items. |
Sources
- CISA: Known Exploited Vulnerabilities Catalog
- CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV (The Hacker News)
- Microsoft Security Blog: CVE-2026-31431 Copy Fail Analysis
- Xint: Copy Fail, 732 Bytes to Root on Every Major Linux Distribution
- Tenable: Copy Fail CVE-2026-31431 FAQ
- Sysdig: CVE-2026-31431 Copy Fail Linux Kernel Flaw
- Ubuntu: Fixes Available for CVE-2026-31431 Copy Fail
- CERT-EU: High Vulnerability in the Linux Kernel Copy Fail
- Help Net Security: cPanel Zero-Day Exploited for Months Before Patch (CVE-2026-41940)
- The Hacker News: Critical cPanel Vulnerability Weaponized Against Government and MSP Networks
- Rapid7: CVE-2026-41940 cPanel and WHM Authentication Bypass
- Picus Security: CVE-2026-41940 Hit 1.5M Servers
- Cybersecurity Dive: Critical cPanel Vulnerability Widespread Exploitation
- CyberScoop: cPanel Authentication Bypass Bug Being Exploited in the Wild
- The Hacker News: Anthropic MCP Design Vulnerability Enables RCE
- SecurityWeek: By-Design Flaw in MCP Could Enable Widespread AI Supply Chain Attacks
- Engipulse: The MCP Security Crisis, 200,000 Server Vulnerability
- Practical DevSecOps: MCP Tool Poisoning Explained
- Aembit: Ultimate Guide to MCP Security Vulnerabilities
- OWASP Gen AI Security Project: LLM01 Prompt Injection
- Airia: AI Security in 2026, Prompt Injection and the Lethal Trifecta
- NCSC: Prompt Injection Is Not SQL Injection
- Penligent: AI Agents Hacking in 2026, Defending the New Execution Boundary
- Sombra: LLM Security Risks in 2026
- Cycode: Top AI Security Vulnerabilities to Watch in 2026
- CISA: China Threat Overview and Advisories
- Vectra AI: Salt Typhoon Threat Briefing
- Tenable: Salt Typhoon Vulnerabilities Analysis
- MITRE ATT&CK: Volt Typhoon (G1017)
- Dark Reading: Iranian Threat Actors Disrupt US Critical Infrastructure via Exposed PLCs
- Trend Micro: U.S. Public Sector Under Siege, Q1 2026 Threat Intelligence
- BlackFog: The State of Ransomware 2026
- Industrial Cyber: Ransomware Reaches Elevated New Normal in 2026
- Ransomware.live
- HIPAA Journal: Healthcare Data Breach Statistics, 2026 Update
- HHS Office for Civil Rights Breach Portal
- SecurityWeek via SANS NewsBites: April 2026 Patch Tuesday Roundup
- The Hacker News: CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe
- CyberScoop: Fortinet FortiCloud SSO Auth Bypass CVE-2026-24858
- CyberScoop: Fortinet FortiClient EMS Zero-Day CVE-2026-35616