Two CRITICAL threats under mass multi-actor exploitation: CVE-2026-41940 cPanel auth bypass confirmed against government and MSP networks (8,859 .sorry-encrypted hosts identified) and CVE-2026-32202 Windows zero-click NTLM coercion by APT28 against Ukrainian and EU targets (CISA KEV deadline May 12). Also: CVE-2026-31431 Copy Fail Linux LPE (KEV deadline May 15), Iranian CyberAv3ngers disrupting US PLCs via EtherNet/IP, Mini Shai-Hulud PyTorch Lightning supply chain, Salt Typhoon covert device networks, APT37 BirdCall Android backdoor, and Qilin/Gentlemen ransomware escalation. Includes 9 KQL hunting queries and 5 high-fidelity detection rules.
Two concurrent CRITICAL exploits: CVE-2026-31431 "Copy Fail" Linux LPE (every distro since 2017, 732-byte PoC public, CISA KEV deadline May 15) and CVE-2026-41940 cPanel pre-auth RCE targeting 1.5M servers including Southeast Asian military portals. Also: BlueHammer/RedSun Windows Defender zero-days, Team PCP AI supply chain worm, Lynx ransomware healthcare campaign, and Iranian ICS/OT PLC exploitation. 8 KQL hunting queries and 5 detection rules.
Nation-state actors APT28 (PRISMEX + SLIMAGENT), Mustang Panda (LOTUSLITE v2), and BRICKSTORM remain active. New APT group TGR-STA-1030 has breached government organisations in 37 countries. Six ransomware groups active. Includes 12 KQL hunting queries, 10 detection rules, and full MITRE ATT&CK mapping.