Critical cPanel Vulnerability Exploited to Target Government and MSP Networks
A previously unidentified threat actor has been observed targeting government and military entities in Southeast Asia, along with managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the United States. This campaign exploits a recently disclosed vulnerability in cPanel and WebHost Manager (WHM), specifically CVE-2026-41940, which allows for authentication bypass and grants remote attackers elevated control over the control panel.
The malicious activities were detected by cybersecurity firm Ctrl-Alt-Intel on May 2, 2026. The attacks originate from the IP address 95.111.250[.]175 and primarily target government and military domains in the Philippines (.mil.ph and .ph) and Laos (.gov.la), as well as MSPs and hosting providers. The attackers utilize publicly available proof-of-concept (PoC) exploits to carry out their operations.
In addition to exploiting the cPanel vulnerability, the threat actor employed a custom exploit chain against an Indonesian defense sector training portal prior to the cPanel attacks. This involved a combination of authenticated SQL injection and remote code execution. Notably, the attacker possessed valid credentials to the portal, which facilitated the exploitation process.
The attack methodology included using hard-coded credentials and bypassing the portal’s CAPTCHA by extracting the expected CAPTCHA value from the server-issued session cookie, rather than solving the challenge conventionally. Once authenticated and past the CAPTCHA, the attacker accessed a document-management function. The vulnerability was exploited by injecting SQL into the field used to save a document name when posting to the document-save endpoint.
Further analysis revealed that the threat actor employs the AdaptixC2 command-and-control (C2) framework to remotely control compromised endpoints. Tools such as OpenVPN and Ligolo are also utilized to maintain persistent access to internal victim networks. The attacker established a durable access layer using OpenVPN, Ligolo, and systemd persistence, which was then used to pivot into internal networks and exfiltrate a substantial corpus of Chinese railway-sector documents.
The identity of the threat actor remains unknown. However, evidence suggests that the cPanel vulnerability is being exploited by multiple third parties within 24 hours of its public disclosure. These exploitations include deploying Mirai botnet variants and a ransomware strain called Sorry.
Data from the Shadowserver Foundation indicates that at least 44,000 IP addresses, likely compromised via CVE-2026-41940, engaged in scanning and brute-force attacks against its honeypots on April 30, 2026. By May 3, this figure had decreased to 3,540.
In response to these developments, cPanel has released a new version of the detection script to help reduce false positives. Users are strongly advised to apply the patches promptly and take steps to clean up their environments if indicators of compromise (IoCs) are detected.
