This Week in Security - Week 19, May 2026

Weekly security intelligence digest covering the most critical vulnerabilities, threats, and breach news from the past week.

🚨 Critical: CISA Known Exploited Vulnerabilities

These vulnerabilities are being actively exploited in the wild. Immediate action required.

CVE-2026-31431: Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability

Vendor/Product: Linux Kernel

Description: Linux Kernel contains an incorrect resource transfer between spheres vulnerability that could allow for privilege escalation.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA Due Date: 2026-05-15

Reference: CVE-2026-31431 - NVD

Expert take: Linux kernel privilege escalation vulnerabilities are high-priority because of how widely Linux runs across cloud infrastructure, containers, and on-premise servers. The attack pattern here is usually the same: an attacker gains an initial low-privilege foothold — through phishing, a web app vulnerability, or a misconfigured service — and then uses a kernel bug like this to escalate to root. Once they’re root, it’s effectively game over on that host. If you’re running Linux workloads in cloud environments, check whether your kernel versions are patched. Managed Kubernetes clusters and cloud VMs often require separate patching steps beyond the OS update process. Don’t assume your cloud provider handled it automatically — verify.

CVE-2026-41940: WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability

Vendor/Product: WebPros cPanel & WHM and WP2 (WordPress Squared)

Description: WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA Due Date: 2026-05-03 ⚠️ Deadline has passed

Reference: CVE-2026-41940 - NVD

Expert take: The CISA deadline on this one was May 3 — yesterday. And it’s already being mass-exploited in “Sorry” ransomware attacks (see the news section below). An authentication bypass on a web hosting control panel is about as bad as it gets: unauthenticated remote access means an attacker doesn’t need to trick anyone or steal credentials. They just walk in. cPanel manages hosting accounts, databases, email, DNS — full control of everything running under it. If your org hosts any web infrastructure on cPanel-based hosting, or if any of your vendors do, this needs to be treated as an emergency patch. If you can’t patch immediately, restrict access to the cPanel login interface by IP allowlist as a temporary control.

CVE-2024-1708: ConnectWise ScreenConnect Path Traversal Vulnerability

Vendor/Product: ConnectWise ScreenConnect

Description: ConnectWise ScreenConnect contains a path traversal vulnerability which could allow an attacker to execute remote code or directly impact confidential data and critical systems.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA Due Date: 2026-05-12

Reference: CVE-2024-1708 - NVD

Expert take: ConnectWise ScreenConnect keeps appearing on these lists, and the pattern is consistent — remote support tools are prime targets because compromising them gives attackers persistent, legitimate-looking access to a large number of endpoints at once. A path traversal vulnerability that leads to RCE on the ScreenConnect server means an attacker could potentially pivot to every device the tool manages. If you use ScreenConnect — or any remote support platform — the questions to ask are: who has admin access, is it exposed to the internet, and is there session logging in place so you can audit what happened if something goes wrong. Patch by May 12, and review your access controls while you’re at it.

CVE-2026-32202: Microsoft Windows Protection Mechanism Failure Vulnerability

Vendor/Product: Microsoft Windows

Description: Microsoft Windows Shell contains a protection mechanism failure vulnerability that allows an unauthorized attacker to perform spoofing over a network.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA Due Date: 2026-05-12

Reference: CVE-2026-32202 - NVD

Expert take: Windows Shell spoofing vulnerabilities are typically used as part of a broader attack chain rather than as a standalone exploit. An attacker who can spoof at the Shell level can make malicious content look like it came from a trusted source — think fake system prompts, spoofed file metadata, or network responses that appear legitimate. This is the kind of vulnerability that makes phishing and social engineering more effective because it removes visual cues that something is off. If your org is on a regular Patch Tuesday cycle, this should be covered in the May update. If you’re running any systems that skip or delay Windows updates, those are the ones to prioritize.

📰 This Week’s Security News

Instructure confirms data breach, ShinyHunters claims attack

Educational tech giant Instructure has confirmed that data was stolen in a cyberattack, with the ShinyHunters extortion gang claiming responsibility.

Read more: Instructure confirms data breach, ShinyHunters claims attack

Expert take: ShinyHunters hit ADT last week and now Instructure — the company behind Canvas, which is used by universities and schools across North America. The data at risk here is student and staff records, which is particularly sensitive. But the broader pattern matters more than the specific target: ShinyHunters is operating at scale, moving quickly across industries, and using the threat of public data leaks as leverage. If you use any Instructure products (Canvas LMS, Mastery Connect, others), check their incident notifications. More generally, if your vendor list includes SaaS platforms with large user databases and you haven’t reviewed their breach notification procedures lately, now is a good time.

Critical cPanel flaw mass-exploited in “Sorry” ransomware attacks

A newly disclosed cPanel flaw tracked as CVE-2026-41940 is being mass-exploited to breach websites and encrypt data in “Sorry” ransomware attacks.

Read more: Critical cPanel flaw mass-exploited in “Sorry” ransomware attacks

Expert take: This is the news story version of the CVE listed above — and seeing them both in the same week confirms this is active mass exploitation, not theoretical risk. “Sorry” ransomware is hitting cPanel-hosted sites at scale, which means attackers have already built automated tooling for this. The window between disclosure and mass exploitation here was very short. That’s the new normal. Patch cycles that assume days or weeks of grace before exploitation need to be revisited. For any internet-facing control panel or admin interface, the question should be: can we restrict access to known IPs as a default posture, regardless of whether a patch exists?

ConsentFix v3 attacks target Azure with automated OAuth abuse

A new attack type, dubbed ConsentFix v3, has been circulating on hacker forums, building on the previous technique by adding automation and scaling potential.

Read more: ConsentFix v3 attacks target Azure with automated OAuth abuse

Expert take: This one deserves serious attention from any org running Microsoft 365 or Azure. OAuth consent abuse is a technique where attackers register malicious third-party apps and trick users into granting them permissions — access to email, files, calendar, contacts — without ever needing the user’s password. ConsentFix v3 adds automation, meaning attackers can run this at scale across many targets simultaneously. The controls that matter here are: restrict which apps users can consent to (enforce admin consent requirements in Entra ID), audit existing OAuth app grants in your tenant for anything suspicious, and review your Conditional Access policies for app-based access. Standard MFA does not protect against this — the attack happens after authentication. Check your tenant’s app consent settings this week.

✅ What You Should Do This Week

• Past deadline — act now: Patch CVE-2026-41940 (cPanel) — CISA deadline was May 3, active mass exploitation is underway
• Immediate: Review and restrict cPanel admin interface access by IP allowlist if patching is delayed
• May 12 deadline: Patch CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2026-32202 (Windows Shell)
• May 15 deadline: Patch CVE-2026-31431 (Linux Kernel) — verify cloud and container environments specifically
• Azure/M365: Audit OAuth app consent grants in Entra ID, enforce admin consent requirements, review Conditional Access — ConsentFix v3 is active
• Verify: Check your systems against the CISA KEV catalog
• Third-party risk: If any vendors use Instructure products or cPanel-based hosting, initiate a check-in on their exposure
• Backup: Test your disaster recovery procedures

📬 Stay Updated

Subscribe to receive weekly security digests directly in your inbox.

Questions or feedback? Contact us

GRC Vitrix provides cloud security and compliance intelligence for financial services professionals. This digest is curated from publicly available sources including CISA, Microsoft MSRC, and industry news.