Cybersecurity Roundup April 2026
Published: 06 May 2026
April’s incidents included a major cPanel takeover flaw that exposed millions of websites, OAuth token theft via third‑party AI tools, DNS hijacking of Microsoft 365 logins, an actively exploited SharePoint zero‑day and IT helpdesk impersonation attacks.
The headlines:
- Critical cPanel flaw leaves millions of websites exposed
- Vercel breached after OAuth tokens stolen via third‑party AI tool
- NCSC warns of large-scale credential theft via router DNS hijacking
- Microsoft fixes actively exploited SharePoint zero‑day
- Attackers impersonate IT helpdesks through Microsoft Teams
Read more about these key threats and recommended actions identified by our SOC team this month:
Actively exploited cPanel vulnerability exposes millions of websites to takeover
Security researchers disclosed a critical authentication bypass vulnerability in cPanel and WebHost Manager (WHM), widely used web server management software that underpins over a million websites globally. The flaw allows attackers to gain administrative access to the cPanel interface without valid credentials, potentially enabling full server and website takeover.
The vulnerability, tracked as CVE-2026-41940, has been added to CISA’s Known Exploited Vulnerabilities catalogue, confirming active exploitation in the wild. All supported cPanel versions after 11.40 are affected, including DNSOnly and WP Squared deployments.
In response, cPanel released patches on 28 April 2026. Several major hosting providers temporarily blocked access to cPanel interfaces while patching, citing evidence of exploitation attempts dating back to February 2026.
What are the risks?
- Authentication bypass enables full administrative takeover
- A single compromised server can expose hundreds or thousands of hosted sites
- Shared hosting environments amplify blast radius across unrelated organisations
Recommended actions:
Vercel breach tied to OAuth token theft via third-party AI tool
Vercel confirmed a breach after a company employee used the third-party AI analytics tool Context.ai. Attackers stole OAuth tokens from the tool and used them to access the employee’s Google Workspace account. From there, they moved laterally into internal systems. Vercel stated that a subset of customer credentials was exposed during the incident.
The case highlights how OAuth token abuse can bypass traditional authentication controls and how third-party AI tooling introduces new trust and data exposure risks.
What are the risks?
- OAuth tokens can grant broad access without requiring a password or MFA reauthentication
- Third-party SaaS and AI tools expand the identity attack surface
- Compromised employee identities can enable downstream access to customer systems and data
Recommended actions:
NCSC warns of large-scale credential theft via router DNS hijacking
The UK National Cyber Security Centre has warned that Russian state-aligned threat actors, tracked as APT28, are hijacking DNS settings on vulnerable routers. By manipulating DNS resolution, attackers redirect users to adversary-in-the-middle infrastructure that intercepts web and email logins, particularly for Outlook, Office and Microsoft 365 services.
The campaign enables theft of credentials and OAuth tokens without deploying malware on victim devices.
What are the risks?
- Credentials and tokens can be stolen even on fully patched endpoints
- Home and small office routers present a weak link for remote workers
- Intercepted authentication flows undermine Zero Trust assumptions
Recommended actions:
Microsoft patches actively exploited SharePoint zero-day (CVE-2026-32201)
Microsoft released security fixes for CVE-2026-32201, an actively exploited SharePoint vulnerability that allows spoofing and unauthorised data access. The flaw was addressed during April 2026 Patch Tuesday alongside more than 160 additional vulnerabilities.
Researchers confirmed exploitation in the wild prior to patch availability.
What are the risks?
- Unpatched SharePoint servers can expose sensitive data
- Spoofing flaws undermine trust in internal collaboration platforms
- Internet-facing collaboration tools remain high-value targets
Recommended actions:
UNC6692 impersonates IT helpdesk staff via Microsoft Teams
Threat actors tracked as UNC6692 combined email bombing techniques with Microsoft Teams impersonation. After overwhelming users with spam, attackers posed as IT support staff offering help through Teams. Victims were directed to a fake page where they were prompted to enter credentials.
The campaign relies entirely on social engineering and trusted collaboration tools.
What are the risks?
- Teams and similar platforms are implicitly trusted by users
- Email bombing increases urgency and reduces user vigilance
- Credential harvesting enables follow-on identity-based attacks
Recommended actions:
From our blog
Tenant sprawl: The hidden risk undermining business resilience
As organisations accelerate cloud adoption, many are unknowingly creating sprawl across Microsoft 365 and Azure tenants.
Technology Evangelist, David Guest, explores how unmanaged tenant growth increases identity risk, complicates security operations and undermines resilience during incidents and acquisitions.
References and Resources
With thanks to the Kocho Security Operations Centre (SOC) team.
Stay safe. Stay informed.
Get cyber confident
Real partnership. Microsoft expertise. Complete transparency.
Request a call back today.
- AI-powered rapid protection, from day one
- Dedicated Microsoft experts, by your side
- Powerful, intuitive reporting tools
- Collaboration and transparency as standard
Don't Miss
Great security & compliance resources
