By May 4, 2026, multiple distinct threat actor groups were actively exploiting CVE-2026-41940 using publicly available proof-of-concept code, extending attacks beyond opportunistic web hosting targets to government and military networks in Southeast Asia. Cato Networks observed attackers using the exploit to deploy web shells and establish persistent access before lateral movement. Rapid7 rated the vulnerability as requiring immediate emergency patching given the combination of a 9.8 CVSS score, trivial exploit complexity, and a two-month head start attackers had over defenders.