🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• CVE-2026-41940 - CISA KEV 🔍 Show Kagi Synopsis
  **CVE-2026-41940** is a critical **authentication bypass vulnerability** affecting **cPanel and WHM** software, as well as **WP Squared (WP2)** . The vulnerability has a CVSS score of 9.8, indicating a critical severity .
  
  **What the vulnerability allows attackers to do:**
  This vulnerability allows **unauthenticated remote attackers to gain unauthorized access to the control panel** . It is caused by a Carriage Return Line Feed (CRLF) injection in the login and session loading processes .
  
  **Exploitation against internet-facing applications:**
  The vulnerability is being **actively exploited in the wild** . A public proof-of-concept (PoC) is available, which increases the likelihood of broader exploitation . This aligns with the MITRE ATT&CK technique **T1190 - Exploit Public-Facing Application**, as attackers can target internet-facing cPanel and WHM instances .
  
  **Known threat actors or campaigns:**
  While specific threat actors or campaigns are not detailed in the provided information, the active exploitation and the availability of a PoC suggest that various threat actors could be leveraging this vulnerability .
  
  **Affected versions:**
  The vulnerability affects **cPanel and WHM versions after 11.40** .
  
  **Immediate actions for defenders:**
  Given the active exploitation and critical nature of this vulnerability, defenders should **immediately apply patches or update to fixed versions** . Rapid7 has indicated that authenticated vulnerability checks are expected to be available for assessment . It is crucial to prioritize patching to mitigate the risk of unauthorized access.
• Security: CVE-2026-41940 - cPanel & WHM / WP2 Security Update 04/28/2026 - cPanel 🔍 Show Kagi Synopsis
  An **authentication bypass vulnerability**, identified as **CVE-2026-41940**, has been discovered in cPanel software, including DNSOnly. This vulnerability affects **all versions of cPanel after 11.40** 【1】.
  
  ### What Happened
  The security issue allows an attacker to inject a `cp_security_token` using a newline payload. This enables them to attempt to use the injected token, potentially leading to successful exploitation before a user's session is fully established 【1】.
  
  ### Who is Affected
  **All versions of cPanel and WHM after version 11.40** are affected by this vulnerability 【1】. This includes the DNSOnly software.
  
  ### Security Implications
  The primary security implication is an **authentication bypass**, which could allow unauthorized access to cPanel and WHM accounts. This could lead to data breaches, system compromise, or other malicious activities.
  
  ### Technical Details
  The vulnerability is exploited by an attacker injecting a `cp_security_token` via a newline payload. This allows the attacker to attempt to use the injected token during the session establishment phase, before the session is fully promoted. A strong indicator of exploitation is a session that shows both `token_denied` and `cp_security_token` with an origin of `badpass` 【1】.
  
  ### What Defenders Should Know
  Administrators are urged to **update their cPanel & WHM servers immediately** to one of the patched versions. These include:
  - cPanel & WHM: 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.136.0.5, 11.134.0.20 【1】.
  - WP Squared: 136.1.7 【1】.
  - For CentOS 6/CloudLinux 6 users, a specific update (v110.0.103) is available 【1】.
  
  The update can be performed using the command:
  ```bash
  /scripts/upcp --force
  ```
  After updating, verify the cPanel build version and restart the `cpsrvd` service 【1】.
  
  If immediate patching is not feasible, administrators can implement **mitigation strategies**:
  - **Block inbound traffic** on ports 2083, 2087, 2095, and 2096 at the firewall 【1】.
  - **Stop the `cpsrvd` and `cpdavd` services** 【1】.
  
  A detection script (`ioc_checksessions_files.sh`) is available to identify compromised session files. If compromise is detected, administrators should purge affected sessions, force password resets for root and all WHM users, audit logs for unauthorized access, and check for persistence mechanisms 【1】.
  
  For servers using CentOS 7 or CloudLinux 7, administrators may need to set the version to **11.110** using `whmapi1 set_tier tier=11.110` if updates are disabled or pinned 【1】.
• Prolific Chinese state-sponsored contract hacker extradited from Italy - U.S. Attorney's Office, Southern District of Texas 🔍 Show Kagi Synopsis
  **Xu Zewei**, a 34-year-old Chinese national, has been extradited from Italy to the United States to face charges related to his alleged involvement in computer intrusions that occurred between February 2020 and June 2021 【1】. He appeared in Houston federal court on a nine-count indictment and is currently in custody 【1】.
  
  **What Happened:**
  Xu is accused of participating in cyber intrusions, including the **HAFNIUM campaign**, which compromised thousands of computers globally 【1】. These attacks specifically targeted U.S. COVID-19 research, including vaccines, treatments, and testing 【1】. The indictment also alleges that Xu and his co-conspirators gained unauthorized access to a law firm's network, stealing information from mailboxes and searching for data related to U.S. policymakers and government agencies using terms like "Chinese sources," "MSS," and "HongKong" 【1】. Xu allegedly operated under the direction of the PRC’s Ministry of State Security (MSS) and the Shanghai State Security Bureau (SSSB), working for a company that facilitated these government-directed hacking operations 【1】.
  
  **Who is Affected:**
  The intrusions affected **thousands of computers worldwide** 【1】. Specific targets included **U.S. COVID-19 research entities** and a **law firm** that handled sensitive information related to U.S. policymakers and government agencies 【1】.
  
  **Security Implications:**
  The actions attributed to Xu highlight the persistent threat of **state-sponsored cyber espionage and disruption**. The use of contract hackers by entities like the PRC's MSS aims to **obscure attribution** and conduct operations for intelligence gathering and potentially profit 【1】. The targeting of critical research, such as COVID-19 vaccines, poses a significant risk to public health and national security.
  
  **Technical Details:**
  The HAFNIUM campaign involved exploiting **vulnerabilities in Microsoft Exchange Server** 【1】. Once systems were compromised, Xu and his alleged co-conspirators installed **web shells** to enable remote administration 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware that **vulnerabilities in widely used software like Microsoft Exchange Server can be exploited** for widespread compromise 【1】. Even after vulnerabilities are disclosed and patches are released (as was the case with HAFNIUM in March 2021), **residual threats like web shells can remain on compromised systems** 【1】. Organizations should maintain vigilance in patching systems, monitoring for indicators of compromise, and implementing robust security measures to detect and remediate unauthorized access. The use of contract hackers by nation-states underscores the need for advanced threat intelligence and attribution capabilities.
• The Federal Bureau of Investigation is publishing this Public Service Announcement to warn the public of cyber threat actors increasingly using sophisticated, cyber-enabled tactics to steal cargo - Federal Bureau of Investigation 🔍 Show Kagi Synopsis
  **Cyber-Enabled Strategic Cargo Theft is Surging Due to Sophisticated Cyber Tactics**
  
  **What Happened:**
  Cyber threat actors are increasingly employing sophisticated, cyber-enabled tactics to impersonate legitimate businesses within the transportation and logistics sectors. This allows them to hijack freight, steal high-value shipments, and reroute deliveries, leading to a significant surge in strategic cargo theft. The actors gain unauthorized access to broker and carrier computer systems, often through spoofed emails and fake URLs, which then download remote monitoring and management (RMM) software. They pose as victim companies, post fraudulent listings on load boards, and deceive shippers, brokers, and carriers into releasing goods. These goods are then redirected from their intended destinations and stolen for resale. In some instances, actors may demand a ransom for the cargo's location. 【1】
  
  **Who is Affected:**
  The **US transportation and logistics sectors** are the primary targets. This includes companies involved in **shipping, receiving, delivering, and insuring cargo**. Both legitimate carriers and brokers can be affected, as well as the shippers who entrust their goods to these companies. 【1】
  
  **Security Implications:**
  The security implications are substantial, leading to significant financial losses and disruption of supply chains. In 2025, estimated cargo theft losses in the United States and Canada reached nearly **$725 million**, a 60 percent increase from 2024. The average value per theft also rose by 36 percent to $273,990, indicating a trend towards more selective, high-value targets. 【1】
  
  **Technical Details:**
  The scheme typically involves a multi-step process:
  * **Compromise of Initial Victim Accounts**: Threat actors use phishing emails with spoofed URLs to trick users into downloading malicious executable files that install RMM software, granting undetected access to systems. 【1】
  * **Posting Fake Loads Online**: Using compromised carrier accounts, actors post numerous fake loads on trucking load boards. Legitimate carriers who bid on these loads are then tricked into downloading malicious broker agreements, compromising their own systems. 【1】
  * **Bidding on Real Loads**: Posing as compromised carriers, actors accept legitimate shipments, double-broker them to unsuspecting drivers, and manipulate bills of lading to change the destination. They may also alter carrier information with the Federal Motor Carrier Safety Administration and update insurance details. 【1】
  * **Theft of Cargo**: The stolen cargo is then transloaded to complicit drivers for resale, or the threat actors may demand a ransom. 【1】
  
  **What Defenders Should Know:**
  Defenders should be aware of several indicators of these schemes:
  * **Unauthorized Shipments**: Receiving notifications about shipments made in a company's name that were not authorized. 【1】
  * **Spoofed Emails and URLs**: Emails using free providers or minor variations of legitimate domains (misspellings, extra punctuation), and requests to download documents from shortened or suspicious links. 【1】
  * **Malicious Downloads**: Emails claiming negative service reviews that contain links leading to malicious downloads. 【1】
  * **Unauthorized Mailbox Rules**: The creation of unexpected forwarding rules, autodeletion, or hidden folders within email accounts. 【1】
  * **Communication Methods**: Threat actors may use Voice over Internet Protocol (VOIP) or short-term phone numbers, sometimes with overseas origins. 【1】
  
  **Recommendations for Protection:**
  * **Independent Verification**: Always independently verify shipment requests and pickups using secondary communication methods before releasing any loads. 【1】
  * **Multi-Channel Verification and Two-Factor Authentication**: Implement multi-channel verification and two-factor authentication for unexpected communications to prevent infiltration. 【1】
  * **Thorough Documentation**: Maintain detailed documentation of all parties involved in a transaction, including photos of drivers, vehicles, license plates, and contact information. This aids investigations. 【1】
  * **Reporting**: If you believe you have been a victim, file a report with the Internet Crime Complaint Center (IC3) at www.ic3.gov, contact your local FBI Field Office, and file reports with local law enforcement. 【1】
• Adapting Zero Trust Principles to Operational Technology - CISA 🔍 Show Kagi Synopsis
  CISA, in collaboration with the Department of War, Department of Energy, FBI, and Department of State, has released guidance titled "Adapting Zero Trust Principles to Operational Technology" 【1】. This guidance aims to help organizations implement **zero trust (ZT)** principles within their **operational technology (OT)** environments 【1】.
  
  **What Happened:**
  The guidance was released due to the increasing **interconnection and remote control of OT systems**, which were traditionally isolated. This convergence of Information Technology (IT) and OT introduces significant cybersecurity risks, rendering traditional perimeter-based defenses and implicit trust models insufficient 【1】.
  
  **Who is Affected:**
  The guidance is primarily for **OT owners and operators** 【1】. This includes organizations managing critical infrastructure and industrial control systems that are now more digitally connected and remotely managed.
  
  **Security Implications:**
  The convergence of IT and OT systems creates new cybersecurity risks. **Perimeter-based defenses and implicit trust models are no longer adequate** for protecting OT systems and the critical physical processes they manage 【1】. This necessitates a shift towards more adaptive and continuously validating security approaches.
  
  **Technical Details:**
  The guidance emphasizes several key areas for transitioning to a ZT architecture in OT environments:
  - **Comprehensive Asset Visibility:** Understanding all assets within the OT environment is crucial 【1】.
  - **Supply Chain Risk Management:** Proactively addressing risks associated with the OT supply chain 【1】.
  - **Identity and Access Management:** Implementing robust systems to manage user and device identities and their access privileges 【1】.
  - **Layered Security Measures:** This includes:
  - **Network Segmentation:** Dividing networks into smaller, isolated segments to limit the impact of a breach 【1】.
  - **Secure Communication Protocols:** Utilizing secure methods for data exchange within and between systems 【1】.
  - **Vulnerability Management:** Regularly identifying and addressing security weaknesses in OT systems 【1】.
  
  The guidance acknowledges the unique challenges in OT, such as **legacy infrastructure technology gaps, operational constraints, and safety requirements** 【1】.
  
  **What Defenders Should Know:**
  Defenders need to understand that **implicit trust is no longer a viable security strategy** for OT systems 【1】. They must adopt a modern, adaptive approach that **continuously validates access** based on identity, context, and risk 【1】. Key areas of focus should include gaining complete visibility of OT assets, managing supply chain risks, and implementing strong identity and access controls, alongside traditional security measures like segmentation and vulnerability management 【1】.
• 2033170 - DigiCert: Misissued code signing certificates - DigiCert 🔍 Show Kagi Synopsis
  In April 2026, **DigiCert** experienced a security incident where a threat actor compromised internal support analyst endpoints, leading to the **misissuance of 60 EV Code Signing certificates** 【1】. These certificates were subsequently used to sign malware from the "Zhong Stealer" family 【1】.
  
  **What Happened:**
  The attack began when a threat actor sent malicious ZIP files, disguised as screenshots, to DigiCert support staff through a customer chat channel. These files contained malware that compromised two analyst endpoints. The attacker then used these compromised endpoints to access an internal support portal function. This function allowed them to impersonate customer accounts and harvest initialization codes for pending EV Code Signing certificate orders. With these codes and approved orders, the attacker was able to generate and retrieve unauthorized certificates 【1】.
  
  **Who Was Affected:**
  * **DigiCert:** Their internal support systems and analyst endpoints were compromised 【1】.
  * **Customers:** A specific group of customers with pending EV Code Signing certificate orders had their initialization codes accessed, resulting in misissued certificates 【1】.
  * **General Public:** The misissued certificates were used to sign and distribute "Zhong Stealer" malware 【1】.
  
  **Security Implications:**
  The incident resulted in the misissuance and subsequent revocation of 60 EV Code Signing certificates 【1】. A key implication was the exposure of initialization codes, which were treated as intermediate workflow data rather than sensitive bearer credentials 【1】. The attack also highlighted detection gaps due to inconsistent Endpoint Detection and Response (EDR) coverage on analyst endpoints, allowing the attacker to remain undetected on one endpoint for several days 【1】. Furthermore, the reliance on device-bound Multi-Factor Authentication (MFA) allowed the attacker to bypass second-factor authentication by inheriting authenticated sessions from compromised devices 【1】.
  
  **Technical Details:**
  The attack vector involved malicious ZIP files containing `.scr` executables, delivered via customer support chat 【1】. The support portal's "proxy" function was found to have insufficient privilege minimization and did not adequately mask initialization codes 【1】. The initialization codes for EV Code Signing certificates are considered bearer credentials because their possession, along with an approved order, allows for certificate generation 【1】. A malfunctioning or absent CrowdStrike sensor on one of the compromised endpoints prevented the detection of the compromise 【1】.
  
  **What Defenders Should Know:**
  Defenders should recognize that internal support tools with indirect access to sensitive infrastructure, such as certificate issuance systems, require rigorous security measures 【1】. Any data that can be used to generate or retrieve cryptographic materials should be protected as a high-value bearer credential 【1】. Continuous monitoring of EDR and SASE coverage is crucial to prevent security blind spots 【1】. Additionally, customer-facing support channels are significant attack surfaces and necessitate strict file-type restrictions, sandboxing, and content inspection 【1】. For MFA, it is advisable to avoid sole reliance on device-bound solutions and instead enforce phishing-resistant MFA methods 【1】.
• SQL injection in Proxy API key verification in LiteLLM - BerriAI 🔍 Show Kagi Synopsis
  A **SQL injection vulnerability** was discovered in the **Proxy API key verification** process of LiteLLM. This vulnerability could allow an unauthenticated attacker to gain unauthorized access to the proxy and its managed credentials.
  
  **What Happened:**
  The vulnerability stemmed from how the database query was constructed during proxy API key checks. Instead of treating the caller-supplied key as a separate parameter, it was directly embedded into the query text. This allowed an attacker to craft a malicious `Authorization` header, which, when sent to any LLM API route (like `POST /chat/completions`), could be processed through the proxy's error-handling path and exploit the vulnerable query 【1】.
  
  **Who is Affected:**
  LiteLLM users who are running a proxy and have not updated to version 1.83.7 or later are potentially affected.
  
  **Security Implications:**
  An attacker exploiting this vulnerability could **read sensitive data from the proxy's database** and potentially **modify it** 【1】. This could lead to unauthorized access to the proxy itself and any credentials it manages.
  
  **Technical Details:**
  The core issue was the improper handling of user-supplied input in a database query. By concatenating the API key directly into the SQL statement, an attacker could inject malicious SQL code. This code would then be executed by the database, allowing for data exfiltration or manipulation 【1】.
  
  **What Defenders Should Know:**
  To mitigate this vulnerability, users should **upgrade to LiteLLM version 1.83.7 or later** 【1】. If an immediate upgrade is not feasible, a temporary workaround is to set `disable_error_logs: true` within the `general_settings`. This configuration change effectively removes the error-handling path that unauthenticated input could exploit to reach the vulnerable query 【1】.
• Living off the Cloud - SANS Institute 🔍 Show Kagi Synopsis
  The cybersecurity article "Living off the Cloud" details how attackers are exploiting legitimate cloud administration tools, specifically **AWS Systems Manager (SSM)** and **Azure Run Command**, for malicious purposes.
  
  **What Happened:**
  Attackers are leveraging AWS SSM and Azure Run Command to gain unauthorized access, move laterally within cloud environments, and establish persistence. These tools, designed for legitimate remote management, are being misused to bypass traditional network security controls.
  
  **Who is Affected:**
  Organizations utilizing **AWS** and **Azure** infrastructure-as-a-service (IaaS) are potentially affected. Threat groups such as **APT29 (Midnight Blizzard)** and **Scattered Spider (UNC3944/Octo Tempest)** have been confirmed to use these techniques in their intrusions. APT29 has used Azure Run Command for reconnaissance and credential theft, while Scattered Spider has employed AWS SSM for software inventory, lateral movement, deploying tools, and enabling EC2 Serial Console Access for persistence.
  
  **Security Implications:**
  The primary security implication is a significant **logging gap**. While AWS CloudTrail and Azure Activity Logs record that a command was executed, they **redact or omit the actual command content** due to security reasons. This makes it difficult for defenders to understand the full scope of an attack. Attackers can exploit this by using these tools to execute commands without leaving a clear trail in primary audit logs, effectively "living off the cloud" infrastructure.
  
  **Technical Details:**
  - **AWS SSM:** The `SendCommand` events in AWS CloudTrail log the IAM principal, timestamp, target instance IDs, and document name, but the command parameters are redacted. Attackers use SSM for tasks like software inventory, lateral movement, and deploying tooling. They have also used techniques like enabling EC2 Serial Console Access for persistence.
  - **Azure Run Command:** Azure Activity Logs record the execution of Run Commands, including the caller and target VM, but not the script content. Managed Run Commands can create additional logging gaps. Attackers have used Azure Run Command for reconnaissance, credential theft, and deploying malicious payloads like Cobalt Strike BEACON.
  
  **What Defenders Should Know:**
  Defenders need to be aware of the logging limitations of these cloud services and implement strategies to bridge these gaps:
  - **Enable SSM command output logging** to S3 or CloudWatch at the organizational level for comprehensive command content recovery.
  - **Export Azure Activity Logs** to Log Analytics with a retention period exceeding 90 days and build separate detection rules for different Run Command event types.
  - **Deploy endpoint telemetry**, such as EDR, Sysmon, or auditd, on cloud VMs. On Windows, **Event ID 4688** (process creation) and **Event ID 4104** (PowerShell Script Block Logging) are crucial for capturing command content, even if obfuscated. On Linux, `execve` syscall logging can track commands executed by agents.
  - **Prioritize collecting host-based artifacts** during investigations, as these can contain the actual command content before cloud agents potentially delete them. This includes agent logs and stdout/stderr files on instances.
  - **Enforce least privilege** for IAM and RBAC permissions related to remote execution capabilities like `ssm:SendCommand`.
  - Build detections for high-signal events such as `CreateActivation` in AWS or unexpected Run Command extensions in Azure, as these have narrow legitimate use cases and can indicate malicious activity.
• Three Bugs Walk Into a PDF: Prototype Pollution, Served Cold - StarLabs 🔍 Show Kagi Synopsis
  In April 2026, Adobe released emergency updates to address **three critical security vulnerabilities** in Acrobat DC, Acrobat Reader DC, and Acrobat 2024, identified as **CVE-2026-34621, CVE-2026-34622, and CVE-2026-34626** 【1】. These vulnerabilities were exploited in the wild as a chained **prototype pollution attack** 【1】.
  
  **Who is Affected:**
  The vulnerabilities affect users of **Windows and macOS systems** running Adobe Reader versions earlier than 26.001.21367 (for CVE-2026-34621) and 26.001.21411 (for CVE-2026-34622 and CVE-2026-34626) 【1】.
  
  **Security Implications:**
  The exploit chain allowed attackers to bypass security boundaries, leading to privilege escalation and arbitrary code execution 【1】. Specifically, attackers could:
  * **Bypass Trust Boundaries:** By polluting the object prototype, attackers could manipulate how internal Adobe collaboration code resolved objects 【1】.
  * **Achieve Privilege Escalation:** Attackers could register their own JavaScript functions as "trusted functions," granting them elevated privileges within the Adobe Reader environment 【1】.
  * **Execute Arbitrary Code:** With elevated privileges, attackers could perform sensitive operations like reading from the file system or launching external URLs, potentially leading to a full system compromise 【1】.
  
  **Technical Details:**
  The attack involved a chain of three vulnerabilities:
  1. **Bootstrap Gadget:** An `eval` injection vulnerability in `ANFancyAlertImpl` allowed for initial JavaScript execution through crafted malicious button identifiers in dialog boxes 【1】.
  2. **Privilege Escalation:** CVE-2026-34621 involved an unsafe resolution of the `swConn` identifier in the `SilentDocCenterLogin` function. This allowed attackers to redirect internal calls to attacker-controlled objects, enabling the registration of malicious functions as trusted 【1】.
  3. **Workflow Sink:** An object confusion vulnerability in trusted string-processing functions like `ANShareFile` (CVE-2026-34622 and CVE-2026-34626) allowed them to accept non-string objects (e.g., `doc.path`). This enabled attackers to control the behavior of these trusted workflows 【1】.
  
  **What Defenders Should Know:**
  * **Patching is Crucial:** Defenders must ensure all Adobe Acrobat and Reader installations are updated to versions that address these CVEs (APSB26-43 and APSB26-44) 【1】.
  * **Chained Exploits are Dangerous:** This incident highlights the significant risk posed by chaining multiple vulnerabilities, even those considered low or medium impact, to achieve critical outcomes like privilege escalation and code execution 【1】.
  * **Understand Root Causes:** The vulnerabilities stemmed from unsafe JavaScript practices, including the use of `eval` on attacker-controlled input, reliance on global object lookups for sensitive identifiers, and insufficient input type validation in privileged functions 【1】.