May 5 Digest: Trellix Supply Chain, cPanel 40K Servers Compromised, Instructure 280M Breach, Apache HTTP/2 RCE

This Week in Cybersecurity

Issue 19 is defined by a theme that keeps reasserting itself in 2026: the most dangerous attacks aren't novel — they're patient, structural, and often visible in the data weeks before defenders react.

Trellix, a major enterprise security vendor, confirmed that attackers accessed a portion of its internal source code repositories. The breach isn't primarily a data theft story — it's a strategic intelligence story. When an adversary reads a security product's detection engine source code, they gain a precise map of what triggers alerts and what doesn't. That knowledge outlasts the breach itself, enabling long-tail evasion campaigns that unfold quietly across the customer base for months. The incident follows a growing pattern of security vendor targeting in 2026: Trivy in March, Checkmarx in March, and now Trellix in May. Protecting the protectors has become a first-order security problem.

cPanel's CVE-2026-41940 is the week's most damaging mass exploitation story. An unauthenticated authentication bypass in one of the world's most widely deployed web hosting control panels landed public proof-of-concept code within hours of disclosure — but researchers confirmed zero-day exploitation had been underway for over 30 days prior. More than 40,000 servers are now confirmed compromised. Shared hosting environments are single points of failure for hundreds or thousands of downstream websites each; the blast radius here extends well beyond the server operators.

Instructure (Canvas LMS) is facing the largest alleged education sector breach on record. A threat actor known as ShinyCobalt claims to have stolen 280 million records from 8,809 colleges, school districts, and universities worldwide. Instructure confirmed a breach earlier in the week; the hacker's dataset now suggests the scope is significantly larger than initially disclosed. With student data, FERPA obligations, and minors' records potentially involved, the compliance and notification obligations are extraordinarily complex.

On the vulnerability front, CVE-2026-23918 — a CVSS 8.8 double-free memory corruption in Apache HTTP Server's HTTP/2 module — demands immediate attention from any organization running Apache 2.4.66. The flaw is unauthenticated, network-reachable, and carries potential for remote code execution. Upgrade to 2.4.67 now.

Top Stories

Trellix Source Code Breach: When Attackers Study Your Defenses

Trellix has confirmed unauthorized access to a portion of its internal source code repository. The company states its software distribution pipeline was not compromised — customers are not receiving backdoored updates — but the strategic implications of the breach run deeper than a typical data theft incident.

When an attacker gains access to a security vendor's source code, they don't just steal data. They map the detection logic: what behaviors trigger alerts, where controls are located, how threat intelligence is processed. That map enables targeted evasion — crafted malware and lateral movement techniques designed specifically to avoid the signatures and heuristics of the vendor's products. This isn't theoretical; it's the documented playbook from prior security vendor compromises.

The Trellix incident joins a 2026 pattern: Trivy suffered a GitHub Actions supply chain compromise in March, Checkmarx had repository data posted to dark web forums the same month, and now a major EDR vendor's own source has been accessed by an unauthorized party. For enterprises running Trellix products, the priority actions are rotating integration credentials, validating software signatures, and enabling additional logging on Trellix management consoles while the investigation continues.

Full analysis →

Initial disclosure →

cPanel Zero-Day: 40,000+ Servers Compromised, 30-Day Pre-Patch Window Confirmed

CVE-2026-41940, a critical unauthenticated authentication bypass in cPanel & WHM, has triggered one of the fastest and most widespread exploitation campaigns of 2026. Public proof-of-concept exploits surfaced within hours of disclosure. Researchers have now confirmed that zero-day exploitation activity began at least 30 days before public disclosure — meaning organizations that patched on day zero may already have been compromised.

The confirmed compromise count stands at over 40,000 servers, and given cPanel's estimated deployment footprint of tens of millions of globally exposed instances, that number is expected to grow. The "Sorry Ransomware" group was among the first confirmed threat actors to run mass exploitation campaigns post-disclosure. The blast radius is severe: cPanel controls every website, database, DNS record, and mailbox on a given server — a successful compromise affects every customer on a shared hosting environment simultaneously.

If you operate cPanel & WHM, treat this as an incident response situation: run /scripts/upcp --force to apply the patch, audit for unexpected administrator accounts, inspect web-accessible directories for web shells, and review the past 30+ days of access logs for anomalous unauthenticated requests.

Full story →

40,000 confirmed →

Instructure Breach: 280 Million Records Claimed from 8,809 Schools

A threat actor identified as ShinyCobalt is claiming responsibility for the theft of 280 million data records from Instructure, the company behind Canvas LMS — used by universities, school districts, and corporate training programs worldwide. The alleged dataset spans students, staff, and institutional metadata from 8,809 educational organizations.

Instructure confirmed a breach earlier this week, indicating unauthorized access to a portion of its environment. The hacker's public claim and the advertised dataset suggest the scope may dwarf the company's initial disclosure. If verified, this would rank among the largest education sector breaches ever recorded — surpassing PowerSchool's 62.4 million record exposure in 2025 by a factor of four.

The sensitivity is compounded by the population involved: student records frequently include minors' data protected by FERPA, and international students may have records subject to GDPR and national privacy frameworks. Institutions should audit Canvas API credentials and OAuth tokens, prepare breach notification workflows, and warn their communities to expect phishing attempts referencing Canvas or coursework — stolen student email addresses are prime phishing material.

Full story — hacker claims →

May 4 update — Instructure disclosure →

Apache HTTP/2 CVE-2026-23918: CVSS 8.8, Patch to 2.4.67 Now

The Apache Software Foundation has patched CVE-2026-23918, a CVSS 8.8 High double-free memory corruption vulnerability in the HTTP/2 module (mod_http2) of Apache HTTP Server 2.4.66. The flaw is unauthenticated, network-reachable, and under specific conditions can be exploited for remote code execution as the Apache worker process user.

A specially crafted HTTP/2 request sequence triggers an error path in which a heap-allocated pointer is freed twice, corrupting allocator metadata. The practical exploitation path for RCE is non-trivial against hardened environments with ASLR, but denial-of-service exploitation is straightforward. Apache is the most widely deployed web server globally; HTTP/2 is now the dominant protocol for web traffic. The combination of ubiquitous deployment and unauthenticated attack surface places this firmly in the emergency-response category.

Remediation: Upgrade to Apache HTTP Server 2.4.67. If immediate patching is operationally blocked, disable the HTTP/2 module as a temporary mitigation (Protocols http/1.1 in your server config). Confirm patched state with apache2 -v or httpd -v.

Full story →

Security advisory →

1 Million Exposed AI Endpoints: Security Is Dire

Researchers have completed a landmark scan of over one million publicly reachable self-hosted AI service endpoints — Ollama instances, OpenWebUI dashboards, Flowise installations, vector databases, and inference APIs — and the findings are stark. Tens of thousands of endpoints accept inference requests from any IP with no authentication. Admin dashboards with no login screens. Misconfigured reverse proxies forwarding upstream API keys in response headers.

The researchers argue the software industry's hard-won progress on secure defaults is being eroded by the speed of AI deployment. Organizations stood up LLM infrastructure faster than they built security controls around it, replicating the misconfiguration epidemics seen in early cloud adoption — but with a new wrinkle: exposed AI endpoints can leak API keys for upstream providers (OpenAI, Anthropic, Azure), enabling downstream credential abuse, quota draining, and access to sensitive inference histories. For defenders, the priority is auditing self-hosted AI infrastructure for open network bindings, enforcing authentication on all AI management interfaces, and treating AI API keys with the same rotation discipline as cloud credentials.

Full story →

Security Corner

10 CVEs are newly published to the Security Advisories section this week. Priority advisories:

CVE-2026-23918 — Apache HTTP Server Double Free / RCE via HTTP/2 (CVSS 8.8 High) A double-free memory corruption in mod_http2 on Apache HTTP Server 2.4.66 enables unauthenticated RCE over the network. Upgrade to 2.4.67 immediately. No authentication required; no user interaction required. Full advisory →

CVE-2026-42364 — GeoVision IP Camera OS Command Injection (CVSS 9.9 Critical) Critical unauthenticated OS command injection in GeoVision LPC2011/LPC2211 IP cameras (firmware 1.10) via a crafted DDNS request. Affects OT/physical security infrastructure — isolate affected cameras from internet access immediately. Full advisory →

CVE-2025-13618 — WordPress Mentoring Plugin Privilege Escalation (CVSS 9.8 Critical) Unauthenticated attackers can register with arbitrary roles — including administrator — on WordPress sites running the Mentoring plugin (≤1.2.8). Update or deactivate the plugin immediately. Full advisory →

CVE-2026-7747 — Totolink N300RH Buffer Overflow / RCE (CVSS 9.8 Critical) Stack buffer overflow in the loginauth handler of Totolink N300RH routers (firmware 3.2.4-B20220812) allows unauthenticated RCE via the Password CGI parameter. Apply firmware updates or isolate from untrusted networks. Full advisory →

CVE-2026-7679 — YunaiV yudao-cloud OAuth2 Authentication Bypass (CVSS 7.3 High) Logic flaw in OAuth2TokenServiceImpl.getAccessToken() allows attackers to obtain valid OAuth2 tokens without supplying credentials. Restrict token endpoint access to trusted IPs and update immediately. Full advisory →

Also published this week:

• CVE-2026-5722 → Advisory →
• CVE-2026-7482 → Advisory →
• CVE-2026-42368 → Advisory →
• CVE-2026-5063 — Stored XSS in NEX-Forms WordPress Plugin (High) → Advisory →
• CVE-2025-14320 → Advisory →

Quick Takes

• Weaver E-cology CVE-2026-22679 (CVSS 9.8) Actively Exploited: A critical unauthenticated RCE flaw in Weaver E-cology (泛微OA) is being exploited in the wild via an exposed Debug API endpoint. Weaver OA has a massive deployment base across Chinese enterprise environments and multinationals — organizations running it should disable the Debug API endpoint immediately and apply vendor patches. Read more →

• Silver Fox Targets India, Russia with Tax-Themed Attacks: The Silver Fox APT group has been observed conducting tax-themed social engineering campaigns against organizations in India and Russia, using lure documents mimicking tax authority communications to deploy credential-stealing payloads. The campaign underscores that geopolitically-motivated threat actors are expanding their geographic targeting beyond traditional Western focuses. Read more →

• Global Crackdown: 276 Arrests, 9 Crypto Scam Centers Shut, $701M Seized: Dubai Police — with US and Chinese cooperation — executed a sweeping international operation against pig-butchering and cryptocurrency investment fraud networks, resulting in 276 arrests, the shutdown of nine scam operation centers, and approximately $701 million in asset seizures. Read more →

• Microsoft Defender False Positives Flag DigiCert Certificates as Trojan: A widely reported false positive in Microsoft Defender began flagging legitimate DigiCert certificates as Trojan:Win32/Cerdigent.A!dha, triggering quarantine events across enterprise environments. Organizations affected by unexpected certificate quarantines should confirm it is the false positive before revoking certificates — Microsoft has acknowledged the issue. Read more →

• The EOL Blind Spot in Your CVE Feed: A structural gap in how CVE feeds and SCA tools handle end-of-life software leaves organizations with a false sense of security. Vulnerabilities discovered in EOL packages after their support window closes rarely receive CVE assignments — meaning a clean scan result doesn't equal a secure dependency tree. Check endoflife.date and supplement standard SCA tooling with EOL-aware inventory. Read more →

• Ransomware Group Claims Breach of Pro-Orbán Hungarian Media Firm: A ransomware group has claimed responsibility for breaching a media company aligned with the Hungarian government, alleging exfiltration of internal editorial communications and operational data. The targeting of media infrastructure with political affiliation signals continued APT and ransomware interest in influence operations and information warfare objectives. Read more →

• Data Centers Belong on the Critical Infrastructure List: A policy analysis published this week argues that data centers — which underpin financial markets, healthcare delivery, emergency services, and government operations — should be formally classified as critical infrastructure, carrying the regulatory protections and incident-reporting obligations that designation entails. The argument has gained urgency following several major data center outages and targeted attacks in the past 18 months. Read more →

• Telegram Mini Apps Abused for Crypto Scams and Android Malware: Researchers have documented a campaign exploiting Telegram's Mini App platform to serve fake cryptocurrency trading interfaces and sideload Android malware onto victims' devices. The attack leverages user trust in the Telegram ecosystem to bypass the skepticism users apply to traditional phishing lures. Read more →

Upcoming

• Instructure/Canvas LMS Investigation Progress: The critical unknown is whether the 280 million claimed records are authentic and whether Instructure's investigation will confirm ShinyCobalt's scope. Watch for formal breach notification filings, FERPA notification timelines, and updates from the educational institutions whose data may be involved. The investigation is ongoing as of May 5 — the picture will sharpen materially in the coming days.

• cPanel Long-Tail Remediation: With confirmed zero-day exploitation stretching back 30+ days before the patch dropped, organizations that applied CVE-2026-41940 fixes on disclosure day should not assume they are clean. Conduct a thorough compromise assessment: audit all administrator and reseller accounts, inspect web-accessible directories for web shells, and review DNS records for unauthorized modifications. The "already patched" window is not a clean bill of health.

• Apache HTTP Server Patch Rollout: CVE-2026-23918 affects Apache 2.4.66 specifically — Apache 2.4.65 and earlier are not vulnerable to this CVE, and 2.4.67 is the fix. Organizations should inventory Apache deployments to identify the specific version in use rather than treating this as a blanket "patch all Apache" exercise. Check apache2 -v or httpd -v on every server in your environment.

• Weaver E-cology Debug API Exposure: CVE-2026-22679 active exploitation is ongoing. If your organization runs Weaver E-cology in any capacity — including subsidiaries or joint ventures in Chinese or Southeast Asian markets — verify the Debug API endpoint (/debug/ or equivalent) is not internet-accessible and confirm the vendor patch status. The CVSS 9.8 score and active exploitation status make this a zero-hour remediation item.

• AI Infrastructure Security Audit: Following the 1-million-endpoint research findings, this is a good moment to audit self-hosted AI deployments. Identify every Ollama, LM Studio, OpenWebUI, Flowise, LangServe, or similar instance in your environment, confirm authentication is required before inference or management operations are permitted, and rotate any API keys that may have been exposed via open endpoints.

By the Numbers

CosmicBytez Labs — IT & Cybersecurity Intelligence Hub

Unsubscribe · Privacy Policy · View in browser