Introduction
This report is generated using Velma (Vulnerability Enhanced Learning Machine AI) – Rootshell’s exploit intelligence engine.
Velma focuses on one thing: understanding when vulnerabilities actually become a problem.
There’s no shortage of vulnerability data out there, and most of it is driven by static scores. But risk isn’t static. A vulnerability can sit there for months with little real-world relevance, then overnight become critical when exploit code is released or it starts being used in the wild.
Velma tracks that shift.
By analysing exploit availability, attacker activity, and how vulnerabilities are being used in real-world scenarios, Velma highlights what’s genuinely worth paying attention to – not just what’s highly scored, but what’s actually exploitable.
This report provides a current view of the threat landscape, prioritizing vulnerabilities that are actively being weaponised or realistically used in attack paths.
For most organizations, the challenge isn’t a lack of vulnerabilities – it’s knowing which ones actually matter.
Jump to:
Velma Threat Prioritization Matrix - May 26
Priority | Threat | CVE | Likelihood | Impact | Exploit Maturity | Velma Risk Score |
1 | cPanel / WHM Auth Bypass | CVE-2026-41940 | Very High | Very High | High | 9.9 (Critical) |
2 | MOVEit Automation Auth Bypass | CVE-2026-4670 | Very High | Very High | High | 9.8 (Critical) |
3 | Weaver E-cology Unauth RCE | CVE-2026-22679 | Very High | Very High | High | 9.8 (Critical) |
4 | Palo Alto PAN-OS Pre-Auth RCE | CVE-2026-0300 | Very High | Very High | High | 9.7 (Critical) |
5 | Apache HTTP Server RCE | CVE-2026-23918 | High | Very High | High | 9.5 (Critical) |
6 | marimo Pre-Auth PTY RCE | CVE-2026-39987 | High | Very High | High | 9.4 (Critical) |
7 | SonicWall Auth Bypass | CVE-2026-0204 | High | High | High | 9.1 (Critical) |
8 | Ivanti EPMM RCE | CVE-2026-6973 | High | High | Medium | 8.9 (High) |
9 | PraisonAI Missing Authentication | CVE-2026-44338 | High | High | High | 8.8 (High) |
10 | Linux Kernel LPE (“Copy Fail”) | CVE-2026-31431 | Medium | High | Medium | 8.3 (High) |
11 | Linux Kernel “Fragnesia” LPE | CVE-2026-46300 | Medium | High | Medium | 8.2 (High) |
12 | Microsoft Defender Privilege Escalation | CVE-2026-33825 | Medium | Medium | Medium | 7.6 (Medium) |
Executive Summary
Velma assesses the organization to be at elevated risk from externally exploitable infrastructure vulnerabilities capable of enabling rapid compromise of perimeter systems and enterprise management platforms.
Immediate Priorities
- Patch or isolate:
- Palo Alto PAN-OS
- MOVEit Automation
- cPanel / WHM
- SonicWall
- Apache HTTP Server
- Review exposure of:
- AI orchestration platforms
- Administrative portals
- Remote management interfaces
- Harden post-compromise pathways:
- Linux privilege escalation mitigation
- Endpoint privilege management
- Segmentation of critical infrastructure
Failure to remediate these vulnerabilities leaves a credible pathway from:
- Initial internet exposure
→ Administrative compromise
→ Root-level persistence
→ Enterprise-wide operational impact.
🔴 Velma Priority Group: Critical Risks
1. cPanel / WHM – Authentication Bypass
CVE-2026-41940
Velma Assessment
- Likelihood: Very High
- Impact: Very High
- Exploit Maturity: High
Intelligence Insight
Velma has identified this vulnerability as a high-priority internet-facing threat impacting hosting providers, MSPs, and government infrastructure.
Observed exploitation activity has targeted:
- Government domains
- Military infrastructure
- Hosting and service providers
Attackers are leveraging public proof-of-concept exploits, significantly reducing the barrier to exploitation.
Business Impact
- Full hosting panel compromise
- Mass account takeover
- Web hosting and infrastructure persistence
- Potential downstream customer compromise
2. MOVEit Automation – Authentication Bypass
CVE-2026-4670
Intelligence Insight
Velma assesses MOVEit-related vulnerabilities as high-risk due to historical ransomware exploitation patterns associated with managed file transfer platforms.
Business Impact
- Unauthorised administrative access
- Data theft and exfiltration
- Lateral movement into enterprise workflows
3. Weaver E-cology – Unauthenticated RCE
CVE-2026-22679
Intelligence Insight
Active exploitation has already been observed in the wild. The vulnerability exposes debug functionality that allows direct command execution without authentication.
Business Impact
- Full server compromise
- Enterprise collaboration platform takeover
- Persistence and malware deployment
4. Palo Alto PAN-OS – Pre-Authentication RCE
CVE-2026-0300
Intelligence Insight
Internet-facing security appliances remain one of the highest-value attack surfaces for threat actors.
Velma assesses this as:
- Rapidly weaponisable
- High likelihood of mass scanning activity
- Capable of full firewall compromise with root privileges
Business Impact
- Network perimeter compromise
- Traffic interception
- Loss of trust boundary integrity
5. Apache HTTP Server – Remote Code Execution
CVE-2026-23918
Intelligence Insight
Public proof-of-concept exploit availability significantly increases operational exploitation likelihood.
Risk is elevated where:
- mod_http2 is enabled
- Internet-facing Apache infrastructure exists
6. marimo – Pre-Authentication PTY Shell Access
CVE-2026-39987
Intelligence Insight
This vulnerability allows attackers to obtain a full interactive shell (PTY) without authentication, representing direct system compromise.
7. SonicWall – Authentication Bypass
CVE-2026-0204
Intelligence Insight
Edge security devices continue to be aggressively targeted by:
- Ransomware operators
- Initial access brokers
- State-aligned actors
🟠Velma Priority Group: High Risks
8. Ivanti EPMM – Remote Code Execution
CVE-2026-6973
Intelligence Insight
Endpoint management systems are highly attractive targets due to their centralised administrative capabilities.
9. PraisonAI – Missing Authentication
CVE-2026-44338
Intelligence Insight
Velma observed exploitation attempts within hours of public disclosure, indicating:
- Active threat actor monitoring of AI ecosystem vulnerabilities
- Rapid weaponisation of exposed orchestration frameworks
Business Impact
- AI workflow abuse
- Sensitive agent execution exposure
- Potential automation hijacking
10–11. Linux Kernel Local Privilege Escalation Cluster
CVE-2026-31431 / CVE-2026-46300
Intelligence Insight
Velma identifies a growing trend of:
- Reliable Linux privilege escalation primitives
- Page cache and memory corruption exploitation
- Increased post-compromise root acquisition activity
These vulnerabilities become particularly dangerous following:
- Container escape
- Web shell compromise
- Low-privilege footholds
🟡 Velma Priority Group: Medium Risks
12. Microsoft Defender – Local Privilege Escalation
CVE-2026-33825
Intelligence Insight
While requiring authorised access, this vulnerability increases:
- Persistence capability
- Defence evasion opportunities
- Endpoint compromise severity
Velma Correlated Threat View
Velma identifies a probable multi-stage attack chain:
[ Internet-Facing Exploitation ]
↓
cPanel / Apache / Palo Alto / SonicWall / MOVEit
↓
[ Initial Access Established ]
↓
Ivanti / PraisonAI / marimo
↓
[ Privilege Escalation ]
↓
Linux Kernel LPE / Defender LPE
↓
[ Root Access + Persistence ]
↓
Infrastructure Compromise / Data Exfiltration / Ransomware
Velma Composite Risk Posture
- Critical Risks: 7
- High Risks: 4
- Medium Risks: 1
Overall Assessment: 🔴 Critical
Velma assesses that this dataset contains multiple:
- Internet-facing unauthenticated RCE vulnerabilities
- Authentication bypass flaws
- Actively exploited edge-device attack vectors
