cPanel Zero-Day Hits 1.5M Sites 🚨 Phishing Wave Beats MFA 🎣
Two stories from today's threat landscape demand your attention: a stealthy cPanel flaw that gave attackers free run of over a million web servers for two months, and a sprawling phishing operation that's quietly stealing Microsoft logins from tens of thousands of users — even those with multi-factor authentication turned on.
The cPanel Zero-Day That Hid in Plain Sight for 64 Days
If your website runs on cPanel — the control panel powering a huge chunk of small business hosting — you need to know about CVE-2026-41940. Researchers and hosting providers now confirm that attackers were quietly exploiting this critical authentication bypass starting February 23, more than two months before cPanel publicly disclosed it on April 28. With over 1.5 million cPanel servers exposed to the internet, the damage is already showing up: more than 7,000 hosts have been hit with "Sorry" ransomware that encrypts WordPress files, and another wave of malware is being installed via Telnet for follow-on attacks. CISA added the bug to its mandatory-patch list with a May 3 federal deadline. The harsh reality: if your server was reachable on the cPanel ports during the February-to-April window, security pros recommend rebuilding from a clean backup rather than trying to clean it up.
The Phishing Campaign That Walks Right Past MFA
Microsoft just exposed a massive credential theft operation that hit 35,000 users across 26 countries — and here's the unsettling part: it bypasses multi-factor authentication. Attackers blast out professional-looking emails disguised as "code of conduct" notices, complete with urgent accusations to push you into clicking. The PDF attachments lead through a CAPTCHA gate (to dodge automated scanners) before landing victims on adversary-in-the-middle phishing pages that capture not just passwords, but the active session tokens that bypass MFA entirely. The takeaway for everyone: even with MFA, an urgent-looking work email can still be a trap. Slow down, verify the sender, and never log in from a link in an unexpected message.
Stay ahead of threats with GOCO Security at gocosecurity.com.
.jpg)
Comments
Post a Comment