The Big Picture

The infrastructure that runs your hospital, your bank, your city's water supply, and your government's classified networks is being hollowed out by unpatched vulnerabilities — while the companies responsible drag their feet and the Pentagon quietly hands the keys to Big Tech. This week, a single UDP packet can own enterprise servers, ransomware is turning shared hosting into rubble, and the U.S. military is signing multi-billion-dollar deals to wire frontier AI into classified networks. The question isn't whether the systems are broken. It's who profits from the chaos, and who gets left holding the damage.

Today's Stories

One Packet. No Password. Thousands of Servers Exposed — and the Patch Race Has Already Begun

A newly disclosed vulnerability in Apache Camel — the integration framework quietly wiring together enterprise applications, IoT devices, payment systems, and industrial pipelines at thousands of organizations — carries a perfect CVSS score of 10.0. CVE-2026-33453 requires exactly one unauthenticated UDP packet to seize full remote control of a server. No credentials. No user interaction. The HTTP-layer firewalls most organizations rely on cannot even see the attack traffic because it travels over UDP. A working proof-of-concept exploit is already public. Apache shipped a fix, but patch coverage remains uneven across major deployments. What doesn't make the vendor press releases: Camel is connective tissue. A compromised instance is a direct path into payment processing, claims pipelines, and industrial telemetry — the systems ordinary people depend on and rarely hear about until they fail. The organizations slowest to patch are rarely the ones who bear the cost when they're breached.

Red Hat Left Millions of Linux Servers Exposed — While a Fake Workaround Circulates

Five days after CVE-2026-31431 — a local privilege escalation in the Linux kernel's cryptographic interface — was added to CISA's Known Exploited Vulnerabilities catalog, Red Hat has still not shipped a patch. The exploit is a 732-byte script. No race condition. No special tuning. It works unmodified across Linux distributions built since 2017, hitting a significant share of cloud workloads and Kubernetes clusters. The CISA federal remediation deadline is May 15. Making matters worse: a modprobe-based workaround circulating in security forums does not work on Red Hat-family systems because the vulnerable component is built directly into the kernel. CloudLinux's advisory states explicitly that the commands run without errors but leave systems fully exposed — which is worse than doing nothing at all. Microsoft reports observing preliminary testing activity that may signal broader exploitation within days. The gap between what enterprise Linux vendors promise and what they deliver has consequences. Those consequences land on system administrators, on users, and on the public institutions running unpatched infrastructure — not on the executives who set the patch timelines.

The cPanel Ransomware Wave Nobody Warned You About in Time

The federal government's own deadline has passed, and the attacks are already here. CVE-2026-41940, an authentication bypass in WebPros' cPanel & WHM hosting control panel, was patched April 28. CISA's deadline for federal agencies was May 3. By May 1 and 2, customers were posting to cPanel's support forums about encrypted files bearing a .sorry extension, rogue root-level accounts, and exposed management ports used as entry vectors. BleepingComputer confirmed mass exploitation tied to "Sorry" ransomware. The structural harm here extends far beyond individual victims: a single cPanel server compromise hands attackers hundreds or thousands of customer websites simultaneously, along with all email infrastructure routed through them. These aren't Fortune 500 targets. They're small businesses, nonprofits, community organizations, and independent publishers — the exact constituencies that can least afford a ransomware recovery. The vendor patched. The government set a deadline. Neither moved fast enough for the people already counting encrypted files this week.

The Pentagon Is Wiring Big Tech Into America's Classified Networks — And Calling It Progress

The Defense Department quietly formalized what was previously a patchwork of pilot programs: commercial AI is now a classified-network utility. Bloomberg and the Associated Press both reported Sunday that the Pentagon expanded agreements to deploy frontier AI on classified networks, with approved vendors now including Microsoft, Amazon, Google, OpenAI, Nvidia, Oracle, Reflection, and SpaceX. The companies cleared to build inside classified infrastructure gain something competitors cannot easily replicate — years of deployment experience and a revenue floor that insulates them from commercial market pressures. Anthropic, currently barred from DoD contracts and fighting that exclusion in court, will be conspicuously absent from the revenue that follows. There is no public accounting of what these systems will do, what data they will process, or what oversight mechanisms exist. The public whose taxes fund this infrastructure and whose security it ostensibly protects has been given no seat at the table. Watch Microsoft's and Amazon's late-July earnings calls — if classified AI revenue appears as a distinct line item, the militarization of commercial AI has crossed from strategic initiative to material business fact.

Industrial Control Systems Are One Public Exploit Away From Physical Harm

FUXA — open-source software used to monitor and control physical equipment in factories, water treatment plants, and energy facilities — has a fully weaponized exploit now publicly posted to Exploit-DB. CVE-2025-69985 allows an unauthenticated attacker to execute arbitrary code on industrial control dashboards by manipulating a single HTTP header. No reverse shell required. The gap between a public proof-of-concept on Exploit-DB and active scanning of internet-exposed industrial systems is measured in days, not weeks. FUXA is patched in version 1.2.11. The systems that aren't patched are the ones operating critical infrastructure in communities that have historically received the least investment in cybersecurity resources — smaller municipalities, underfunded utilities, and industrial facilities in working-class regions where IT staffing is thin. When industrial control systems fail, the people who drink the water and breathe the air pay the price. The people who sold the software and the governments that failed to mandate security standards do not.

What to Watch

• [CONFIRMED] If Red Hat's patch for CVE-2026-31431 does not ship before the May 15 CISA deadline, federal agencies on RHEL will remain exposed to a publicly available 732-byte privilege escalation exploit with active preliminary testing already observed. (Confirmed: based on reported patch status and Microsoft's observed activity)
• [ASSESSED] If the May 13 EU AI Act trilogue fails to produce an agreed delay, every hospital AI system, HR screening tool, and factory robot deployed in Europe faces immediate August 2 compliance obligations that most manufacturers have not prepared for — and the burden of non-compliance will fall unevenly on smaller institutions with fewer legal resources. (Assessed: analytical projection from reported negotiation failure and DLA Piper guidance)
• [ASSESSED] If Microsoft and Amazon report classified AI revenue as a distinct line item in late-July earnings, the privatization of military AI infrastructure will have crossed into material business territory with no corresponding public accountability framework in place. (Assessed: analytical projection from reported Pentagon expansion)
• [SPECULATIVE] If the cPanel "Sorry" ransomware wave broadens to second-tier hosting providers this week, hundreds of thousands of small-organization websites could go dark simultaneously — with no federal recovery mechanism and no liability for the hosting industry that left management ports exposed. (Speculative: early signal from forum reports, exploitation trajectory uncertain)

The Closer

The through-line this week is not technical. It is political. Vendors delay patches. Governments miss their own deadlines. The Pentagon signs billion-dollar deals in the dark. And when the systems fail — when the files are encrypted, when the water plant gets a command it shouldn't, when the classified model does something no one can explain — the cost lands on workers, on communities, on the public. Accountability journalism exists because someone has to keep asking: who knew, when did they know it, and who got paid while everyone else got hurt.