GUARDED 3 min read 3 May 2026

Acronis Cyber Protect Cloud Agent WID-SEC-2026-1322: Patch Triage Broadens Across Backup, TLS and Routing Stacks

BSI CERT-Bund added a low-confidence but high-severity Acronis Cyber Protect Cloud Agent advisory, joined by new FreeBSD, GnuTLS, Wireshark, cURL/libcurl, KDE, Velociraptor, FRRouting, pip, Ubuntu and ABB OPTIMAX items. cPanel/WHM CVE-2026-41940 remains the urgent exploitation story.

Key findings
01
Update: cPanel/WHM CVE-2026-41940 Remains the Urgent Operational Item
HIGH
[High] Previously covered 02 May 2026; today's delta: The Register, BSI CERT-Bund and NCSC-NL coverage continue to support active exploitation and hosting-operator impact.
CVE-2026-41940
02
Finding: Acronis Cyber Protect Cloud Agent WID-SEC-2026-1322 Opens an MSP Patch Question
LOW
[Low] BSI CERT-Bund lists multiple high-severity vulnerabilities in Acronis Cyber Protect Cloud Agent, with privilege escalation called out in the source coverage.
03
Finding: cURL/libcurl, GnuTLS and Wireshark Add Dependency Pressure
LOW
[Low] BSI CERT-Bund also lists new high-severity advisories for cURL/libcurl WID-SEC-2026-1307, GnuTLS WID-SEC-2026-1312 and Wireshark WID-SEC-2026-1311. The available detail is thin, but the components are widely deployed enough to justify dependency mapping now.
04
Finding: FRRouting CVE-2026-28532 and pip CVE-2026-3219 Reach Vendor Feeds
LOW
[Low] MSRC lists CVE-2026-28532 for FRRouting as an integer overflow in an OSPF parser. FRRouting appears in network appliances, labs and cloud routing stacks, so the useful first move is a version sweep in environments near untrusted or partner-adjacent routing domains.
CVE-2026-28532
05
Finding: Ubuntu and CISA Add Targeted Patch Items
LOW
[Low] Ubuntu published USN-8198-2 for Tornado and CVE-2026-31958, plus USN-8218-1 for zuluCrypt and CVE-2025-53391. These are narrow but actionable updates: patch Ubuntu-hosted Python web services using distro Tornado packages, and check admin workstations or Linux desktop fleets that use zuluCrypt or related encrypted-volume workflows.
CVE-2026-31958

Acronis Cyber Protect Cloud Agent WID-SEC-2026-1322: Patch Triage Broadens Across Backup, TLS and Routing Stacks

Finding: Acronis Cyber Protect Cloud Agent WID-SEC-2026-1322 Opens an MSP Patch Question

Confidence: Low

BSI CERT-Bund lists multiple high-severity vulnerabilities in Acronis Cyber Protect Cloud Agent, with privilege escalation called out in the source coverage. The extracted advisory detail does not provide CVE IDs or a CVSS score, so this should be handled as an authoritative patch-triage signal rather than an exploitation claim.

The exposure question is practical. Backup and endpoint protection agents often run with high local privileges across customer estates, which makes version drift dangerous even before public exploit detail appears. MSPs and internal IT teams should inventory Acronis Cyber Protect Cloud Agent deployments and map installed versions against BSI and vendor fixed-version guidance.

Finding: cURL/libcurl, GnuTLS and Wireshark Add Dependency Pressure

Confidence: Low

BSI CERT-Bund also lists new high-severity advisories for cURL/libcurl WID-SEC-2026-1307, GnuTLS WID-SEC-2026-1312 and Wireshark WID-SEC-2026-1311. The available detail is thin, but the components are widely deployed enough to justify dependency mapping now.

For cURL/libcurl, look beyond servers. Appliances, containers, developer workstations and build images may carry vulnerable library versions. For GnuTLS, prioritise systems in TLS termination, mutual-authentication and embedded paths. For Wireshark, analyst workstations and forensic images should treat packet captures from untrusted sources with care until patched.

Finding: FRRouting CVE-2026-28532 and pip CVE-2026-3219 Reach Vendor Feeds

Confidence: Low

MSRC lists CVE-2026-28532 for FRRouting as an integer overflow in an OSPF parser. FRRouting appears in network appliances, labs and cloud routing stacks, so the useful first move is a version sweep in environments near untrusted or partner-adjacent routing domains.

MSRC also lists CVE-2026-3219 for pip archive validation. Python packaging flaws matter most where automated systems ingest, mirror or inspect untrusted archives. CI workers, research sandboxes and developer hosts should be checked before broad claims are made about exploitability.

Finding: Ubuntu and CISA Add Targeted Patch Items

Confidence: Low

Ubuntu published USN-8198-2 for Tornado and CVE-2026-31958, plus USN-8218-1 for zuluCrypt and CVE-2025-53391. These are narrow but actionable updates: patch Ubuntu-hosted Python web services using distro Tornado packages, and check admin workstations or Linux desktop fleets that use zuluCrypt or related encrypted-volume workflows.

CISA published ICSA-26-120-04 for ABB Ability OPTIMAX and CVE-2025-14510. That makes the item relevant to OT and energy operators first. Teams should verify ABB OPTIMAX exposure and follow the CISA and ABB mitigation path before treating this as a generic enterprise patch item.

Update: cPanel/WHM CVE-2026-41940 Remains the Urgent Operational Item

Confidence: High

Previously covered 02 May 2026; today's delta: The Register, BSI CERT-Bund and NCSC-NL coverage continue to support active exploitation and hosting-operator impact.

This remains sharper than the new low-detail patch queue. Hosting control panels have high blast radius: one compromised WHM host can lead to tenant compromise, web-shell placement and credential theft. Verify every WHM host is on cPanel 11.136.0.5 or later, or the current vendor-fixed branch. Review recent account, session, package and administrator activity on internet-facing shared-hosting systems.

Why This Matters

This is a patch-management day, not a single exploit-alert day. The risk is that teams either overreact to every new advisory or ignore low-detail items until versions and CVEs are easier to consume.

The better posture is tiered triage. Keep cPanel/WHM CVE-2026-41940 in the urgent lane because exploitation and operator impact are already supported by public reporting. Treat the new Acronis, FreeBSD, GnuTLS, Wireshark, cURL/libcurl, KDE, Velociraptor, FRRouting, pip, Ubuntu and ABB items as inventory-led patch work until richer vendor detail lands.

  • Recommended Actions
  • Verify cPanel/WHM hosts are on fixed versions and review exposed systems for compromise indicators.
  • Inventory Acronis Cyber Protect Cloud Agent deployments and compare versions with BSI or vendor fixed guidance.
  • Map cURL/libcurl and GnuTLS across appliances, containers, server images and developer workstations.
  • Patch Wireshark on analyst workstations and restrict untrusted packet-capture handling until updates are confirmed.
  • Check FRRouting exposure near OSPF routing boundaries and review pip usage in build systems that ingest untrusted archives.
  • Apply Ubuntu Tornado and zuluCrypt updates where the affected packages are present.
  • For ABB Ability OPTIMAX, verify OT exposure and follow CISA or ABB mitigations.

All findings grounded in a13e intelligence sweeps through 05:00 UTC 03 May 2026.

acroniscurlcve-2026-28532cve-2026-31958cve-2026-41940gnutlswid-sec-2026-1322

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.

Try DCV Try CloudSigma ← Back to feed