Qinglong CVE-2026-3965 and CVE-2026-4047, Active Exploitation Hits Task Scheduler Panels
Finding: Qinglong Task Scheduler CVE-2026-3965 / CVE-2026-4047 Active Exploitation
Confidence: Medium
Snyk and BleepingComputer report active exploitation of Qinglong task scheduler versions 2.20.1 and older. The reported chain uses authentication bypass paths that can lead to remote code execution and cryptominer deployment.
The practical exposure is narrow but urgent. Internet-facing Qinglong panels should be found, upgraded beyond the affected versions, and checked for miner indicators such as .fullgc and connections or artefacts involving file.551911.xyz. The source set points to middleware fixes associated with PR #2941, so operators should verify the fixed release rather than relying only on perimeter blocking.
Finding: Linux Copy Fail CVE-2026-31431 Raises Local Privilege Escalation Risk
Confidence: Medium
MSRC lists CVE-2026-31431, and BleepingComputer reports public exploit activity around the Linux Copy Fail local privilege escalation issue. The available evidence does not include Tier-0 confirmation of active exploitation, so this is not framed as a confirmed exploitation wave.
It still deserves fast triage. Shared Linux hosts, CI runners, Kubernetes nodes and administrator jump boxes are the first places to check because local privilege escalation changes the impact of any foothold already present on those systems. Track distribution kernel guidance, apply vendor updates as they arrive, and review container-host isolation assumptions.
Finding: ABB AWIN Gateways CVE-2025-13777 Expose OT Configuration and Reboot Risk
Confidence: Low
CISA published ICSA-26-120-05 for ABB AWIN Gateways, tracking CVE-2025-13777. CISA states successful exploitation could allow remote device reboot or unauthenticated queries that expose sensitive system configuration, with ABB AWIN Firmware 2.0-0 listed as affected.
This is an asset-identification task first. Organisations with OT or critical-infrastructure environments should identify ABB AWIN deployments, remove management access from routable networks, and confirm firmware or compensating controls with the relevant asset owners.
Finding: Jenkins Plugins WID-SEC-2026-1320 Needs CI Inventory Work
Confidence: Low
BSI CERT-Bund published WID-SEC-2026-1320 for multiple high-severity Jenkins plugin vulnerabilities. The source set does not provide full plugin names, affected versions or CVE mappings through the extracted advisory data, so the finding remains low confidence for customer-specific remediation.
The risk model is still clear. Jenkins plugins can sit across build secrets, release artefacts, source access and shared runners. Security teams should compare controller and plugin inventories against the BSI advisory and upstream Jenkins plugin advisories before the next release window.
Finding: Microsoft Windows RPC WID-SEC-2026-1325 Is Unpatched and Under-Specified
Confidence: Low
BSI CERT-Bund marks WID-SEC-2026-1325 as a new high-severity Microsoft Windows RPC privilege-escalation item and indicates an unpatched status. The available source set does not provide a CVE, affected versions or Microsoft mitigation detail.
Treat this as watch-and-reduce-exposure work rather than a patch instruction. Validate RPC reachability, check segmentation around workstations and servers, and watch for MSRC confirmation or mitigation guidance before issuing estate-wide remediation language.
Finding: SonicWall SonicOS WID-SEC-2026-1313 Adds Edge Infrastructure Pressure
Confidence: Low
BSI CERT-Bund published WID-SEC-2026-1313 for multiple high-severity SonicWall SonicOS vulnerabilities. The extracted data does not include the full technical breakdown, which limits confidence.
Because SonicOS often protects VPN and edge access, exposure review should not wait for exploit chatter. Confirm firmware levels, restrict management-plane access, and check whether remote access services are exposed where they do not need to be.
Update: SAP CAP npm Package Compromise Scope Expanded
Confidence: Medium
The SAP CAP npm package compromise remains an update, not a new lead story. The material change is expanded scope, with newly identified affected package names and versions.
Dependency teams should check lockfiles, CI build manifests and package caches for the named versions from source data, then rotate credentials if any affected package executed in a trusted build environment.
Why This Matters
The day’s work is not one patch queue. It spans exposed automation software, Linux host hardening, OT gateway checks, CI plugin hygiene and edge firewall review. That mix matters because attackers do not need the broadest vulnerability. They need the one reachable control plane that was missed.
Compared with yesterday, the lead has moved away from Windows KEV, LiteLLM and cPanel emergency work. Those items remain important where still unpatched, but they did not carry new evidence in this cycle.
- Recommended Actions
- Find internet-facing Qinglong panels, upgrade fixed releases, and hunt for .fullgc and file.551911.xyz indicators.
- Prioritise CVE-2026-31431 checks on shared Linux hosts, CI runners, Kubernetes nodes and administrator jump boxes.
- Identify ABB AWIN Firmware 2.0-0 deployments and remove management access from routable networks.
- Compare Jenkins controller and plugin inventories against WID-SEC-2026-1320 and upstream plugin advisories.
- Reduce Windows RPC exposure whilst waiting for MSRC confirmation on WID-SEC-2026-1325.
- Confirm SonicWall SonicOS firmware levels and restrict exposed management and VPN surfaces.
- Continue routine patch triage for Chromium CVE-2026-6920 and CVE-2026-6919, Xen/Citrix XenServer CVE-2026-31788, cURL, FreeBSD, GnuTLS, Acronis, zuluCrypt, Wireshark and Protobuf PHP items.
All findings grounded in a13e intelligence sweeps through 05:00 UTC 01 May 2026.