What’s Old Is New Again: Attackers Target Resurgent Vulnerabilities

Organizations seem to have hit their patching capacity limit. The 2026 Verizon Data Breach Investigations Report (DBIR) found that the new median time to patch is nearly two weeks longer than it was in 2024. 

As remediation slows, attackers are eagerly stepping into the gap. According to the 2026 DBIR, vulnerability exploitation was the leading initial access vector in 2025, accounting for 31% of all breaches.

The math doesn’t work anymore: The volume of new CVEs has become difficult — if not impossible — to manage with the time and resources businesses have available. 

Coalition sends Zero-Day Alerts (ZDAs) to help balance the equation. To avoid patching paralysis and focus resources impactfully, policyholders only get ZDAs for the most critical vulnerabilities. These include time-sensitive risks and those most likely to impact a policyholder's bottom line. 

ZDA Snapshot

• Coalition sent 33 different ZDAs between February 1, 2026, and May 1, 2026

• 94% of policyholders didn’t receive a single notification

• Honeypots captured a spike of 317 new events for a vulnerability we first alerted on in August 2025

• Large-scale aggregation (Vercel and cPanel) drove almost three-quarters of notified policyholders

• 56% of notified policyholders have fewer than 25 employees

Below, we’ll explore how to balance new risks with the old, which vendors contributed to the highest concentration of ZDAs, and which organizations are most likely to receive alerts.

1. Renewed pressure on an 8-month-old vulnerability

New vulnerabilities aren’t the only ones that pose a risk to policyholders. Frequently, attackers return to older flaws and target victims that never patched when the vulnerability was first published.

With over 100 vulnerabilities disclosed daily in 2025, this strategy makes sense. Attackers are banking on organizations having a critical backlog of vulnerabilities they missed or deprioritized. 

Always-on monitoring

Along with threat intelligence sources, Coalition keeps tabs on threat actor behavior through honeypots, which appear as vulnerable machines to opportunistic attackers.

Honeypots provide Coalition security researchers with valuable insights on how actively and broadly a vulnerability is being exploited in the wild. 

But we aren’t just using this information for the newest threats. By deploying honeypots that emulate business networks, we can also capture the resurgence of activity on “old” vulnerabilities. In turn, we can alert at-risk policyholders to high-priority threats they may have overlooked before.

Raising the alarm on CVE-2025-57819

We sent a ZDA to impacted policyholders about CVE-2025-57819 in FreePBX on August 8, 2025, the same day it was published in the National Vulnerability Database (NVD). 

FreePBX is an open-source web-based graphical user interface. The risk to organizations is particularly high, as FreePBX operates as the administrative control layer for enterprise VoIP. Exploitation can allow attackers to gain control of PBX systems.

Eight months later, attackers revisited CVE-2025-57819 en masse. On April 19, 2026, Coalition observed a spike in activity targeting the vulnerability, with 317 events from 105 unique IPs. 

We sent a ZDA to policyholders who had the vulnerable FreePBX panel exposed, providing necessary context that a vulnerability from months prior had become a priority risk again. Attackers aren’t only focused on new vulnerabilities; they are opportunistically searching for security gaps such as those in an organization’s backlog.

On April 19, 2026, Coalition observed a spike in activity targeting the vulnerability, with 317 events from 105 unique IPs. 

For that reason, Coalition monitors and alerts policyholders to any resurgent vulnerabilities with recommended remediation steps. We understand it’s not feasible for policyholders to address every risk. However, we use the context we have to help guide them to the most dangerous flaws first, using our ZDAs to help them prioritize these threats.

2. Large-scale aggregation drives nearly three-quarters of ZDAs

From April 20 to May 1, 2026, two notable risk aggregation events occurred: a breach at Vercel, a cloud development platform, and a critical vulnerability in cPanel, a widely deployed web hosting control panel. 

The root causes, attack vectors, and flaws behind both incidents were entirely different. Yet, they shine a singular light on the fragility of the tech ecosystem when platform-level hosting infrastructure is a target. The two aggregation events accounted for nearly three-quarters (74%) of policyholders that received ZDAs.

The two aggregation events accounted for nearly three-quarters (74%) of policyholders that received ZDAs.

cPanel 

Coalition notified impacted policyholders of CVE-2026-41940 on April 29, 2026. 

The vulnerability allows remote attackers to bypass authentication and gain root access on the WebHost Manager (WHM). With a CVSS  score of 9.8 (near-top severity) and widespread usage (cPanel runs nearly 70 million domains), rapid remediation was crucial.

However, many policyholders have systems hosted with a web hosting provider and therefore rely on the web hosting provider to patch. Before sending ZDAs, Coalition reviewed the range of IP addresses across at-risk systems to determine which policyholders ran on-premises instances of cPanel and which relied on web hosting providers.

The policyholders with on-premises instances of cPanel received ZDAs. To avoid alert fatigue or confusion for those working with web hosting providers, the Coalition security team contacted web hosting providers directly to confirm that the patching was complete.

Following the initial vulnerability disclosure, we continued to see heightened activity through honeypot requests. The ransomware gang ‘Sorry’ quickly capitalized on the cPanel vulnerability immediately after the disclosure. Other threat actors are visibly following suit in the aftermath, with a notable spike in early June 2026.

Vercel

On April 19, 2026, Coalition sent a ZDA to impacted policyholders following unauthorized access to internal systems at Vercel, a cloud platform for deploying and sometimes hosting web applications. According to public reporting, the incident originated with a compromise of Context.ai, a third-party tool used by a Vercel employee. The attacker used that access to take over the employee’s Google Workspace account and later break into Vercel environments.

The Vercel breach highlights how quickly a third-party compromise can escalate — no zero-days or unpatched vulnerabilities necessary. Attackers reached Vercel’s internal systems and customer data by abusing legitimate tools. Broad OAuth permissions for a third-party tool called Context.ai allowed attackers to move laterally and steal credentials, which ultimately gave them access to Vercel customer environments. 

Other vendors

Behind the large-scale aggregation events, we alerted most frequently on WordPress plugins (authored by third-party developers). These were followed in frequency by alerts related to boundary device vendors Citrix and BeyondTrust. This tracks with the findings from our Q1 90-Day Threat Retro, as both WordPress plugins and boundary devices led as the path of least resistance for attackers.

3. 56% of notified policyholders have fewer than 25 employees 

Prioritization is particularly challenging for small and midsize businesses (SMBs). The volume problem compounds when organizations have limited resources and a lack of visibility into asset inventories or third-party vendor sprawl.

Threat actors are making as much noise as possible and forcing organizations to keep up. Coalition aims to narrow the scope of alerts and only alert policyholders to the threats we deem relevant based on available telemetry, including cases where threats are actively being exploited or we believe exploitation is imminent. In addition, policyholders only hear from us when we are confident they are using the at-risk technology or software.

Employees per notified policyholder

SMBs widely use both cPanel and Vercel to manage or ship websites without needing a dedicated IT department. These small organizations accounted for most of our alerts in the second quarter: 56% of all notified policyholders had fewer than 25 employees, a slight increase from Q1.

These small organizations accounted for most of our alerts in the second quarter: 56% of all notified policyholders had fewer than 25 employees, a slight increase from Q1.

Notifications per policyholder

The majority of policyholders (94%) did not receive a single alert from us at all. Of those that did, 95% received just one ZDA.

Policyholders notified by industry 

We observed a reasonably balanced dispersion of ZDAs sent across sectors. This is to be expected, as no industry is immune from the risk of aggregation events or vulnerable software.

Actionable insights that add up

In 2025, organizations had 50% more critical vulnerabilities to patch compared to the previous year. 

It’s no wonder that organizations are responding more slowly and attackers are breaking in more often. The formula for combating attackers? Timely, prioritized guidance and hands-on help to remediate vulnerabilities. 

Along with ZDAs, Coalition Control® — our cyber risk management platform —offers policyholders third-party risk management, attack surface monitoring across their external digital footprint, and action steps to reduce overall exposure and prevent threats before they strike.

EASILY SPOT & STOP CYBER THREATS IN ONE PLACE

Coalition Control

Take control of your cyber risk >

This blog post is designed to provide general information on the topic presented and is not intended to construe or render legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. Any action you take based upon the information contained herein is strictly at your own risk. Coalition and its affiliates will not be liable for any losses and damages in connection with your use or reliance upon the information. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over nor assumes responsibility or liability for the content, privacy policy or practices of any such third-party websites. 

Copyright © 2026. All rights reserved. Coalition, Coalition Control and the Coalition logo are trademarks of Coalition, Inc. All other products and company names are the intellectual property of their respective brand owners.