Linux kernel LPE flaw, cPanel 0-day exploited for months

Last week’s cybersecurity landscape delivered a sobering mix of long-dormant vulnerabilities, active zero-day exploitation, and persistent identity management failures. From a nine-year-old Linux kernel flaw enabling reliable privilege escalation to a cPanel authentication bypass exploited for months before a patch, defenders faced mounting pressure on multiple fronts.

Researchers at Theori disclosed CVE-2026-31431, a high-severity local privilege escalation (LPE) vulnerability in the Linux kernel nicknamed “Copy Fail.” The flaw has impacted virtually every major Linux distribution shipped since 2017, and a working proof-of-concept exploit is publicly available. Meanwhile, CVE-2026-41940 in cPanel was being actively abused by attackers since at least February 23, well before watchTowr researchers released technical details. The critical authentication bypass affects the popular web hosting control panel.

CISA and Microsoft jointly warned of active exploitation of CVE-2026-32202, a zero-click Windows Shell spoofing vulnerability stemming from an incomplete patch for an earlier flaw exploited by APT28 (Fancy Bear). On the open-source front, researchers at Wiz reported that 88% of self-hosted GitHub servers remain exposed to CVE-2026-3854, a remote code execution flaw that was fixed on GitHub.com within hours but still threatens organizations running GitHub Enterprise Server on their own infrastructure.

The threat landscape extended beyond traditional vulnerabilities. A group tracked as UNC6692 has been penetrating corporate networks by impersonating IT helpdesk staff on Microsoft Teams, tricking employees into downloading malware and surrendering credentials to a fake “Mailbox Repair Utility.” Separately, the ShinyHunters group claimed a breach of Udemy, leaking 1.4 million unique email addresses along with names, physical addresses, and instructor payout details. ADT confirmed a breach affecting customer data, and hackers claimed millions of records stolen.

US state privacy fines reached a staggering $3.425 billion in 2025, nearly double the previous year’s total, with Gartner predicting acceleration through 2028. In a notable enforcement action, Canadian police arrested three men in the country’s first SMS blaster case, where a device mimicked a legitimate cellular tower. Swiss authorities arrested 10 suspected members of the Black Axe cybercrime network, including its ‘Regional Head’ for Southern Europe. Ukrainian police detained three suspects accused of hacking and reselling 600,000 Roblox accounts.

Identity management emerged as a recurring theme. Experts argued that IAM was built for humans, not AI agents, and that identity discovery remains the overlooked foundation of strategic risk reduction. Teleport CEO Ev Kontsevoy made the case for a single identity layer for distributed infrastructure, while the FIDO Alliance began exploring how to keep AI agents from going rogue on online payments.

The AI security conversation also highlighted growing risks. OpenAI warned that the time to keep up with AI-driven attacks is narrowing, and a global survey found that 31% of AI users receive no employer training, deepening shadow AI risks. Researchers at Capital One proposed Adaptive Instruction Composition, a learning layer for automated LLM red teaming that prioritizes the most promising attack combinations. Meanwhile, Dataiku released Kiji Privacy Proxy, an open-source tool to mask PII before prompts reach external AI services.

Other notable developments included Cisco’s open-source toolkit for verifying AI model lineage, the IPFire DNS Firewall update blocking malware at the resolver, and the discovery that bad bots now make up 40% of internet traffic. On the positive side, BleachBit 6.0.0 upgraded code signing across platforms, Proxmox Backup Server 4.2 added S3 storage support, and Fedora Linux 44 shipped with GNOME 50 and KDE Plasma 6.6. Warp open-sourced its AI terminal client, and OpenAI released Symphony to automate Codex work through Linear.