Morning Review in IT Security — May 3, 2026

The cybersecurity landscape continues to evolve with critical vulnerabilities, sophisticated phishing operations, and cloud-based attacks dominating the threat landscape. Today's review covers authentication bypass flaws, large-scale credential theft campaigns, and automated OAuth abuse targeting enterprise environments.

CVE-2026-41940: WebPros cPanel and WHM Authentication Bypass

A critical authentication bypass vulnerability has been identified in WebPros cPanel and WHM platforms. The vulnerability, tracked as CVE-2026-41940, exploits the login flow and could allow attackers to gain unauthorized access to hosting control panels. Proof-of-concept code for this vulnerability is actively circulating, increasing the risk of widespread exploitation. Source: CVE-2026-41940: WebPros cPanel and WHM Authentication Bypass via Login Flow PoC

Google AppSheet Exploited in Large-Scale Facebook Phishing Campaign

Threat actors are leveraging Google AppSheet and Google Drive to conduct a massive phishing operation targeting approximately 30,000 users. The scam exploits the trusted nature of Google services to bypass security filters and steal Facebook Business account credentials at scale. The malware family AccountDumpling has been associated with this campaign, which demonstrates how legitimate cloud services can be weaponized for credential harvesting. Source: Google AppSheet Exploited in 30,000-User Facebook Phishing Operation

ConsentFix v3 Attacks Escalate Azure OAuth Abuse

A new iteration of OAuth abuse attacks called ConsentFix v3 has emerged on hacker forums, building upon previous techniques with enhanced automation and scaling capabilities. The attack targets Microsoft Azure environments and leverages the Specter Portal infrastructure to conduct large-scale consent-based OAuth abuse. This evolution represents a significant escalation in the sophistication of cloud-based attack methods. Source: ConsentFix v3 attacks target Azure with automated OAuth abuse

Radimagen Panama Medical Imaging Provider Breached

Radimagen Panama, a Panamanian medical imaging provider, has suffered a data breach with patient and medical information exposed. The threat actor ohmydays, operating under the Waxx Org. banner, has leaked the compromised database publicly. This incident underscores the ongoing vulnerability of healthcare providers to data theft and the sensitivity of medical records in breach scenarios. Source: Radimagen Panama Data Leak

Organizations are advised to prioritize patching of authentication systems, implement advanced email security controls to combat phishing, review OAuth consent permissions in cloud environments, and strengthen data protection measures for sensitive personal and medical information.