'Copy Fail' Linux Flaw Hits CISA KEV as Active Exploitation Begins

CISA has added the “Copy Fail” Linux vulnerability to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The flaw allows attackers to root Linux systems and exploitation began just one day after researchers at Theori published a public proof-of-concept exploit.

Microsoft separately observed limited exploitation, primarily associated with PoC testing, suggesting broader threat actor uptake is likely incoming. System administrators running Linux workloads should treat this as a priority patch — KEV listing triggers mandatory remediation deadlines for federal agencies and signals broad real-world risk for all organizations.

Review Theori’s disclosure and apply vendor patches immediately. Given the PoC is public and exploitation is confirmed, assume the attack window is short.