Weekly Cyber Update: 1 May 2026

The Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends and indicators, curated by our CISO, Nick Harris. Here’s our pick of the top stories, and why you should care.

---

Critical cPanel authentication bypass bug exploited as a zero-day

A critical authentication bypass vulnerability in cPanel, WebHost Manager (WHM) and WP Squared has been actively exploited in the wild since at least February, according to reports. CVE-2026-41940, which has a CVSS score of 9.8, was patched on April 28. It could enable unauthenticated attackers to hijack the control panels used to manage web hosting servers. WHM and cPanel are popular vendors of these panels, while WP Squared provides management panels for WordPress hosting.

Why it matters

According to Rapid7, successful exploitation could enable full remote control of the cPanel host system, its configurations and databases, and websites it manages. There are around 1.5 million instances exposed online, though it’s unclear how many are vulnerable to CVE-2026-41940.

Assured’s recommended action

Follow the vendor’s advice and patch cPanel/WHM versions after 11.4. A patch is also available for WP Squared version 136.1.7. If patching isn’t possible, block external access to ports 2083, 2087, 2095, and 2096, or stop cpsrvd and cpdavd. If you’re concerned about infection, run the detection script, which is also available in the security advisory.

---

Over 10,000 Zimbra servers exposed to cross-site scripting attacks

A legacy flaw still present on thousands of Zimbra email servers is being exploited in the wild to steal sensitive information, it has emerged. CVE-2025-48700 affects Zimbra Collaboration Suite (ZCS) 8.8.15, 9.0, 10.0, and 10.1, and was added to CISA’s KEV catalogue on Monday. According to the Shadowserver Foundation, over 10,500 Zimbra servers were exposed as of late last week, including thousands in Europe.

Why it matters

Exploitation could enable threat actors to scrape sensitive emails from targeted servers. No user interaction is required: a victim simply needs to view a maliciously crafted email message in the Zimbra Classic UI.

Assured’s recommended action

Update your Zimbra instances according to vendor instructions, prioritising high-value servers. Consider threat hunting to detect suspicious activity, such as logins from strange locations or unusual JavaScript injection attempts.

---

Official SAP npm packages hijacked in credential theft campaign

Several npm packages used to support SAP’s Cloud Application Programming Model (CAP) and Cloud MTA have been hijacked and modified to include credential-stealing malware. It’s unclear how the threat actors (TeamPCP) managed to compromise SAP’s npm publishing process. But the campaign appears designed to capitalise on the trust many developers place in official packages from major software vendors.

Why it matters

The malware was designed to steal local developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud secrets from AWS, Azure, GCP, and Kubernetes. That could provide threat actors with broader access to victims’ cloud and enterprise systems (e.g., ERP, CRM, financial databases). The malware is also programmed to use stolen npm or GitHub credentials to modify packages and repositories it encounters, to spread.

Given SAP’s penetration in the UK enterprise market, the blast radius of a successful infection here could be considerable – approaching the scale of the SalesLoft/Drift campaign.

Assured’s recommended action

Search your developer environment for malicious files (setup.mjs, execution.js) and the following affected package versions: mbt – v1.2.48, @cap-js/db-service v2.10.1, @cap-js/postgres v2.2.2, @cap-js/sqlite v2.2.2. Rotate all credentials, including GitHub, Kubernetes, and npm tokens; cloud credentials; and CI/CD secrets. Audit GitHub for suspicious activity (commits, new repositories, unusual authors, etc.).

---

Utility tech provider Itron confirms network breach

Itron confirmed this week that unauthorised access to its IT systems occurred on April 13. The firm serves over 8000 utilities across more than 100 countries, with hundreds of millions of customers. It provides crucial IoT and smart grid technology. It expects insurance to cover any costs arising from the incident.

Why it matters

Itron said the unauthorised access was confined to its IT systems. However, the organisation’s role in critical infrastructure introduces potential supply chain risk. This could include threat actor access to downstream utility customers and grid-related data or configurations.

Assured’s recommended action

Audit to check whether your organisation uses Itron products/services, and ask the firm whether the breach impacted your systems. Increase monitoring for unusual activity linked to Itron services. Strengthen IT/OT segmentation.