Light Patch Tuesday, heavy everything else. Here’s what actually moved the needle for partners this week.
🛡️ cPanel auth bypass is loose, and MSPs are in the blast radius
CVE-2026-41940 is an authentication bypass in cPanel and WHM caused by a CRLF injection in the login flow — and multiple threat actors are already using it in the wild. Per Help Net Security, Rapid7 noted that successful exploitation hands attackers control of the cPanel host, its databases, and every website it manages, with Shodan showing roughly 1.5 million exposed instances. Ctrl-Alt-Intel caught one attacker staging server on May 2 targeting South-East Asian government and military entities — alongside MSP networks.
Why it matters to your stack: if you’re hosting client websites on cPanel/WHM, or you’ve inherited an environment from a customer who did, you are the supply chain. A single owned host is dozens of owned tenants. Patch to 110.0.45 or later now, audit session activity, and assume any unpatched box has been touched. This is also a real upsell moment for the hosting-adjacent crowd — managed WordPress, managed DNS, and incident-response retainers all have a clean story to tell this week.
🔥 Trellix got owned (yes, that Trellix)
The cybersecurity vendor confirmed on May 4 that attackers got into a portion of its source code repository. Trellix says it’s seen no evidence the source code release pipeline was tampered with or that the stolen code has been exploited — which is the kind of sentence you write when you very much hope it stays true.
Why it matters to your stack: if you resell Trellix EDR or XDR, your customers will ask. Have an answer ready that isn’t “the vendor says it’s fine.” Source-code theft doesn’t equal an immediate compromise, but it absolutely shortens the runway for whoever’s holding it — they now know exactly where to look for detection gaps. Bigger picture: this is the third major security-vendor embarrassment in twelve months, and SMB buyers are noticing. The MSPs winning renewals right now are the ones leading with “here’s our defense-in-depth” instead of “here’s our preferred logo.” Treat single-vendor security stacks as a sales objection waiting to happen.
🤝 Pax8 picks Ninja
Pax8 and NinjaOne announced a global referral partnership on April 28 — Pax8 will steer partners shopping for unified IT ops and RMM toward NinjaOne, and NinjaOne handles the customer relationship from there. Marketplace transactions are the longer-term play, per ChannelE2E. Days later, Omdia dropped its 2026 RMM/PSA Leadership Matrix naming ConnectWise, Kaseya, N-able, HaloPSA, and NinjaOne as Champions.
Why it matters to your stack: this is a soft endorsement with hard implications. Pax8 has spent years staying RMM-neutral, and tilting toward Ninja — even as a referral — is a signal to anyone running ConnectWise Automate or Kaseya VSA that the marketplace gravity has shifted. If you’re a Pax8 partner already comparing RMMs, expect a call. If you’re happy on your current platform, the leverage just got better — vendors negotiating renewals don’t love hearing “my distributor is showing me alternatives.” Either way, build the comparison spreadsheet now, not when your renewal hits.
🤖 Inforcer ships Copilot Manager, and shadow AI gets a price tag
Inforcer rolled out Copilot Manager on May 1, giving MSPs multi-tenant visibility into Microsoft Copilot adoption — and, critically, monitoring for shadow AI usage across client M365 tenants. The pitch: productize Copilot enablement as a recurring service instead of a one-time setup project.
Why it matters to your margin: Copilot licensing is one of the few M365 SKUs left with real upsell room, and most SMBs are buying it without a clue how to govern it. If your AI-as-a-service motion is currently “we resold the license, good luck,” you’re leaving the managed-services markup on the table. Inforcer is one of several tools racing to put a meter on this — Augmentt and CoreView are in the same conversation — but the playbook is the same: bundle visibility, governance, and adoption coaching into a tiered monthly fee. The MSPs charging $8–$15 per seat per month on top of the Copilot license are the ones who treated this like a service line, not a transaction.
🩹 Patch Tuesday: 120 fixes, zero zero-days (enjoy it)
Microsoft shipped fixes for 120 CVEs this Patch Tuesday with no actively exploited or publicly disclosed zero-days — the first clean month, per Tenable, since June 2024. Eleven are rated Critical, mostly RCEs in Office and the usual Windows graphics components.
Why it matters to your operations: don’t get comfortable. The calm window ends June 26, when the Secure Boot certificate expiration deadline hits and unprepared fleets start failing boot. If you haven’t inventoried which client devices are running the legacy 2011 KEK and DB certificates, this is the cycle to do it. The vendors who built Secure Boot readiness reports into their RMM dashboards (Action1, Automox, NinjaOne) are quietly stealing scoping conversations from competitors who haven’t. And for once, your patch window isn’t a fire drill — use it to actually test, not just push.
⚡ Quick hits
ShinyHunters posted a 50GB Cushman & Wakefield dataset after ransom talks collapsed on May 6 — and Qilin is now also claiming the same victim, which means either two crews got in or one crew is selling the same goods twice. Either way, the original entry point was vishing. Refresh your SMB clients on voice-phishing tabletop exercises; the helpdesk impersonation script is still the highest-ROI attack in the kit.
Microsoft’s May Pax8 promos include 10% off three-year Purview and Defender Suite contracts for first-time buyers through July 1. If you’ve got an SMB sitting on E3 and asking about compliance, this is the window.
Guardz’s 2026 MSP Threat Report flagged BEC and cloud ransomware as the fastest-growing SMB risk categories — translation: identity protection and M365 backup are still the two easiest cross-sells in your catalog. If either isn’t in your stack, you’re handing margin to the MSP down the street who picked them up last quarter.
That’s the week. Patch the cPanel boxes, hug your EDR rep, and go run the Ninja math.
