Update on the cPanel flaw covered April 30: attackers are now mass-exploiting CVE-2026-41940 to deploy a Linux ransomware called 'Sorry' that encrypts websites and demands payment to unlock them. Shadowserver confirms at least 44,000 cPanel hosts have been compromised, with hundreds of victim sites already showing up in Google search results. The Sorry encryptor is written in Go, uses ChaCha20 with an embedded RSA-2048 public key (so victims cannot recover files without the attacker's private key), and appends '.sorry' to filenames. KnownHost reports the cPanel flaw was being exploited as a zero-day since at least February 23.
Shadowserver scan data published Friday shows over 10,500 Zimbra Collaboration Suite instances still unpatched against CVE-2025-48700, a Classic-UI XSS that Synacor fixed in June 2025 but CISA only added to KEV on April 20. Exposed servers split nearly evenly between Asia (3,794) and Europe (3,793). The flaw triggers when a victim simply views a crafted email - no clicks - and runs JavaScript inside their authenticated session for mailbox theft and MFA backup-code retrieval. Zimbra is a recurring APT target: Russia's Winter Vivern, APT29, and APT28 have all run Zimbra-XSS campaigns against NATO and Ukrainian targets.
Shadowserver data shows 1,300+ internet-exposed Microsoft SharePoint servers remain unpatched against CVE-2026-32201, a spoofing flaw Microsoft confirmed as a zero-day and CISA added to its Known Exploited Vulnerabilities catalog the same day the fix dropped in April Patch Tuesday. Fewer than 200 systems have been patched since the update shipped last week. The flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. An unauthenticated attacker can perform network spoofing through improper input validation in a low-complexity attack that needs no user interaction, letting them view sensitive information and modify data, though not affect availability. Microsoft has not described the exploitation technique or attributed the attacks to a specific group, which is unusual for a zero-day and hints at an ongoing investigation. CISA ordered federal agencies to patch by April 28 under Binding Operational Directive 22-01, and given ongoing in-the-wild abuse, private-sector operators should treat that as their own deadline. SharePoint's habit of holding cached Office 365 tokens, SharePoint-signed refresh tokens, and IP on sensitive business processes makes any compromise a serious lateral-movement foothold, not a minor information disclosure.
Day-after follow-up to our April 18 coverage: Shadowserver has published telemetry showing 6,400+ Apache ActiveMQ servers exposed online are still vulnerable to CVE-2026-34197, the 13-year-old code injection flaw CISA added to KEV last week with an April 30 federal patch deadline. Geographic breakdown: Asia leads with 2,925 vulnerable servers, North America follows at 1,409, Europe at 1,334. Horizon3's Naveen Sunkavally (who discovered the flaw using the Claude AI assistant as his research tool) is urging admins to treat this as high priority, noting ActiveMQ has been a repeated target for real-world attackers - CVE-2016-3088 and CVE-2023-46604 are both on KEV, with the latter used as a zero-day by the TellYouThePass ransomware gang. The Apache maintainers patched the flaw on March 30 in ActiveMQ Classic 6.2.3 and 5.19.4. Horizon3 recommends searching broker logs for suspicious connections using the internal VM transport protocol with the brokerConfig=xbean:http:// query parameter as an indicator of exploitation.
TrustStrike Labs