Weekly Threat Roundup: Apache & cPanel Zero-Days (Apr 27 - May 3)
Cybersecurity roundup for 2026-04-27 to 2026-05-03. 10 CVE advisories, 5 breach reports, 5 threat news stories.
This Week at a Glance
This week saw the active exploitation of a critical cPanel authentication bypass (CVE-2026-41940) and a surge in Apache-related vulnerabilities, including unauthenticated RCE in Camel and MINA. Major data breaches at Pitney Bowes and ADT exposed over 13 million records, while a new supply chain attack targeted SAP npm packages.
Top Vulnerabilities
- CVE-2026-41940 (CVSS 9.8, Actively Exploited): Authentication bypass in cPanel & WHM. PoC available.
- CVE-2026-33453 (CVSS 10.0): Unauthenticated RCE in Apache Camel’s CoAP component.
- CVE-2026-40453 (CVSS 9.9): Header bypass leading to RCE in Apache Camel JMS.
- CVE-2026-41409 (CVSS 9.8): Unauthenticated RCE via deserialization in Apache MINA.
- CVE-2026-41635 (CVSS 9.8): Second unauthenticated RCE in Apache MINA via deserialization.
- CVE-2025-71284 (CVSS 9.8): Unauthenticated RCE in Synway SMG Gateway via OS command injection.
- CVE-2026-7242 (CVSS 9.8): Unauthenticated RCE in Totolink A8000RU router.
- CVE-2026-7137 (CVSS 9.8): Command injection in Totolink A8000RU router.
- CVE-2026-41873 (CVSS 9.8): HTTP request smuggling leading to admin takeover in Pony Mail.
- CVE-2026-40860 (CVSS 9.8): Deserialization RCE in Apache Camel JMS/SJMS.
Data Breaches
- Pitney Bowes: 8.2 million accounts exposed.
- ADT: 5.5 million customer records exposed, including SSNs.
- ZenBusiness: 5.1 million accounts exposed.
- Marcus & Millichap: 1.8 million accounts exposed.
- Aman: 216,000 guest records leaked.
Threat Intelligence
- Supply Chain Attack: The TeamPCP campaign resumed after a 26-day pause, launching three concurrent attacks (full report).
- SAP npm Packages Compromised: Credential-stealing malware found in compromised npm packages targeting SAP environments (full report).
- Ransomware Claims: Threat actors Stormous and M3RX claimed attacks on cgcsa.co.za, emtco.com (180GB), and it-freitag.de (details).
- KEV Update: CISA added CVE-2026-31431, an actively exploited Linux root access bug, to its Known Exploited Vulnerabilities catalog (full report).
Key Takeaway
The simultaneous release of two distinct unauthenticated RCE vulnerabilities in Apache MINA (CVE-2026-41409 and CVE-2026-41635) highlights a dangerous trend: incomplete security patches creating new attack surfaces. Security teams should treat all “fixes” for deserialization flaws with heightened scrutiny and conduct independent validation.
Never miss a security update
Get real-time security alerts delivered to your preferred platform.
Related News
TeamPCP supply chain campaign resumed after a 26-day pause with three concurrent compromises (Checkmarx KICS, Bitwarden CLI, xinference PyPI). A new self-propagating npm worm, CanisterSprawl, has also been identified.
The Interlock ransomware gang has been exploiting a maximum severity remote code execution (RCE) vulnerability in Cisco's Secure Firewall Management Center (FMC) software in zero-day attacks since lat
A China-linked advanced persistent threat actor tracked as UAT-9244 has been targeting telecommunication service providers in South America since 2024, compromising Windows, Linux, and network-edge de
Cybersecurity roundup for 2026-04-20 to 2026-04-26. 10 CVE advisories, 2 breach reports, 5 threat news stories.