This week's threat intelligence briefing for April 28 - May 4, 2026 reveals a significant surge in critical authentication and injection vulnerabilities across enterprise platforms and WordPress plugins. CISA added four high-impact vulnerabilities to the KEV catalog, including a critical authentication bypass in WebPros cPanel/WHM (CVE-2026-41940) and a Linux kernel privilege escalation flaw (CVE-2026-31431). The NVD disclosed 30 additional high-severity vulnerabilities, with WordPress plugins representing a substantial attack surface through SQL injection, stored XSS, and remote code execution flaws.
Malware distribution infrastructure remains highly active, with 50 malicious URLs cataloged by abuse.ch. ClearFake malware continues aggressive distribution through compromised domains using rapid-cycling subdomain infrastructure (rapidstorm.surf, winterpeak.surf, greenforest.surf, solidcore.surf). IoT-focused threats persist with Mozi and Mirai variants targeting MIPS and ARM architectures, indicating continued exploitation of insecure embedded devices.
Organizations should prioritize patching the cPanel authentication bypass vulnerability immediately, as it enables unauthenticated remote access to critical control panels. WordPress administrators must review installed plugins for SQL injection and RCE vulnerabilities, particularly in widely-deployed plugins like Paid Memberships Pro, Royal Elementor Addons, and Widget Options. Network defenders should monitor for ClearFake C2 communications and implement IoT device segmentation to mitigate botnet activity.
CISA added four critical vulnerabilities to the KEV catalog, requiring immediate remediation for federal agencies and recommended for all organizations.
CVE-2026-41940: Critical authentication bypass vulnerability in WebPros cPanel/WHM and WordPress Squared allows unauthenticated remote attackers to gain unauthorized access to control panels. This represents a complete authentication mechanism failure in widely-deployed hosting management platforms.
CVE-2026-31431: Incorrect resource transfer between spheres in Linux kernel enables privilege escalation attacks. Affects core Linux systems across enterprise and cloud infrastructure.
CVE-2024-1708: Path traversal vulnerability in ConnectWise ScreenConnect allows attackers to execute remote code or directly access confidential data and critical systems. Poses significant risk to MSP and remote support infrastructure.
CVE-2026-32202: Protection mechanism failure in Windows Shell allows unauthorized attackers to perform spoofing attacks remotely. Impacts Windows system integrity and user trust mechanisms.
Multiple critical vulnerabilities discovered in widely-deployed WordPress plugins, including SQL injection, remote code execution, and authentication bypass flaws affecting thousands of sites.
CVE-2026-2052: The Widget Options plugin uses eval() on user-supplied Display Logic expressions, enabling authenticated attackers to achieve remote code execution with CVSS 8.8. Affects all versions up to 4.2.2.
CVE-2026-7647: PHP object injection via maybe_unserialize() on attacker-controlled 'args' parameter in AJAX handler. Versions up to 3.14.5 affected with CVSS 8.1.
CVE-2026-4060, CVE-2026-4061, CVE-2026-4062: Time-based SQL injection in multiple parameters (sort, map_post_type, object_ids, exclude_object_ids) affecting versions up to 1.13.18. CVSS 7.5 for each vulnerability.
CVE-2026-4100: Missing capability checks allow unauthorized modification of Stripe webhook configuration in versions up to 3.6.5. CVSS 7.1 enables payment system disruption.
CVE-2026-2554: Missing validation on 'customerid' parameter allows unauthorized access to customer data in WCFM Frontend Manager up to 6.7.25. CVSS 8.1.
CVE-2026-7649: SQL injection via 'orderby' parameter in membership plugin affecting versions up to 4.0.60. CVSS 7.5 enables database extraction.
CVE-2026-5324: Missing nonce verification combined with insufficient FileUpload handling enables unauthenticated stored XSS in versions up to 2.8.11. CVSS 7.2.
Critical vulnerabilities identified in enterprise management systems, network devices, and IoT hardware enabling remote code execution and command injection.
CVE-2026-7490 and CVE-2026-7489: CTMS/CPAS systems vulnerable to arbitrary file upload enabling web shell deployment (CVSS 7.2), combined with authenticated SQL injection (CVSS 8.8) for complete system compromise.
CVE-2026-7685 (BR-6208AC) and CVE-2026-7684 (BR-6428nC): Buffer overflow via pptpDfGateway parameter in /goform/setWAN allows remote code execution. CVSS 8.8 for both vulnerabilities.
CVE-2026-7695 and CVE-2026-7694: SQL injection via fCircuitids parameter in EEMS and ECEMS systems affecting /SubstationWEBV2/main/elecMaxMinAvgValue endpoint. CVSS 7.3 for both.
CVE-2026-7698: OS command injection via week parameter in /Easy7/rest/systemInfo/updateDbBackupInfo endpoint. Remote exploitation possible with CVSS 7.3.
CVE-2026-7491: Authenticated attackers can modify parameters to read and modify other users' data in School App platform. CVSS 8.1.
Extensive ClearFake malware campaign utilizing rapid-cycling subdomain infrastructure across multiple domains to distribute fake browser updates and malware payloads.
Multiple subdomains under rapidstorm.surf (high, fire, run, fast, jump, kick, rush) actively distributing ClearFake malware targeting Google users. Represents sophisticated subdomain rotation technique to evade detection.
Winterpeak.surf domain hosting multiple ClearFake distribution subdomains (cold, ice, frost, temp, zone, wind) using identical URI patterns for malware delivery.
Additional ClearFake infrastructure identified on greenforest.surf (leaf, root, tree, wood, park, wild) and solidcore.surf (iron, rock, base) domains, indicating campaign expansion and infrastructure diversification.
Continued IoT-targeted malware distribution focusing on MIPS and ARM architectures through compromised embedded devices and routers.
Multiple Mozi malware distribution URLs detected targeting 32-bit MIPS and ARM architectures. IPs include 92.63.185.32, 113.99.201.130, 37.26.86.218, and others. Shellscript-based infection chain observed.
Active Mirai distribution server hosting binaries for multiple architectures (mips, mipsel, arm, arm6, sh4, spc) at 31.56.209.125. User-agent based targeting (ua-wget) indicates automated device infection.
Secondary Mirai infrastructure detected at 176.65.139.11, 178.18.147.174, and 45.158.23.194 distributing architecture-specific payloads for sh4, mipsel, and mips platforms.
Technical analysis comparing PhishTool and DFIR Platform for email threat investigation workflows.
Detailed comparison of two leading email analysis platforms for security operations and incident response teams. Evaluates features, integration capabilities, and use case suitability for different organizational workflows.