This briefing covers threat intelligence for April 30, 2026. The most critical finding is CVE-2026-41940, an authentication bypass vulnerability in WebPros cPanel & WHM and WP2 (WordPress Squared) that allows unauthenticated remote attackers to gain control panel access. This vulnerability has been added to CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Given the widespread deployment of cPanel in web hosting environments, this represents a significant risk to organizations using these products.
Malware distribution activity remains elevated, with 50 malicious URLs identified across multiple threat campaigns. The Mozi botnet continues widespread IoT device targeting with 28 URLs distributing MIPS and ARM variants. ClearFake social engineering campaigns show sustained activity with 20 malicious URLs across multiple infrastructure domains. Additionally, Amadey dropper activity was detected with two URLs delivering secondary payloads. Organizations should prioritize patching CVE-2026-41940 immediately and implement enhanced monitoring for indicators associated with these active malware campaigns.
The convergence of a critical authentication bypass vulnerability with sustained malware distribution activity creates an elevated risk environment. Web hosting providers and organizations running cPanel/WHM should treat this as a priority incident response situation, while IoT device owners face continued risk from Mozi botnet expansion.
CISA has added a critical authentication bypass vulnerability affecting widely-deployed web hosting control panels to the KEV catalog, indicating active exploitation.
Authentication bypass vulnerability in the login flow of cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) allows unauthenticated remote attackers to gain unauthorized access to the control panel. This vulnerability affects critical web hosting infrastructure and is being actively exploited.
Sustained Mozi botnet distribution campaign targeting IoT devices with MIPS and ARM architecture variants across 28 malicious URLs.
Multiple malicious URLs distributing Mozi botnet variants targeting MIPS and ARM architectures. Infrastructure includes shell script downloaders and ELF binaries hosted on compromised IoT devices across various IP ranges (115.x.x.x, 110.x.x.x, 182.x.x.x, 42.x.x.x, 39.x.x.x, 116.x.x.x, 117.x.x.x, 105.x.x.x). Some variants identified with Mirai characteristics.
Active ClearFake malware distribution using fake browser update social engineering across multiple domains with consistent infrastructure patterns.
Twenty malicious URLs distributing ClearFake malware through social engineering tactics disguised as software updates. Infrastructure spans multiple domains including herod-terminology[.]bet, dusherport2ge[.]bet, undo-wingless[.]bet, technic2lweak[.]bet, and expresser-pray[.]bet. All use consistent URI pattern '/software-distribution-dxnp2c7/meta-verify.index' suggesting coordinated campaign infrastructure.
Amadey malware dropper infrastructure delivering secondary payloads from compromised servers.
Two URLs on 62.60.226[.]140 distributing payloads dropped by Amadey malware loader. Files identified include 'random.exe' and 'HLPHs1J.exe' with signature d52f85. Amadey is a well-known initial access loader used to deliver ransomware, information stealers, and other secondary payloads.