Exploiting Critical cPanel Vulnerability: Targeting Government and MSP Networks

New Threat Actor Exploiting cPanel Vulnerability Targeting Government and Military Entities in Southeast Asia

An unidentified threat actor has been detected targeting government and military organizations in Southeast Asia, as well as a small group of managed service providers (MSPs) and hosting providers in various countries, by exploiting a recently disclosed vulnerability in cPanel.

On May 2, 2026, Ctrl-Alt-Intel discovered that the threat actor is taking advantage of CVE-2026-41940, a critical flaw in cPanel and WebHost Manager (WHM) that allows remote attackers to bypass authentication and gain control of the control panel.

The malicious activities have been traced back to the IP address “95.111.250[.]175,” with a focus on government and military domains in the Philippines and Laos, as well as MSPs and hosting providers, using publicly available proof-of-concepts (PoCs).

Furthermore, Ctrl-Alt-Intel revealed that the threat actor utilized a custom exploit chain to target an Indonesian defense sector training portal before the cPanel attacks. This involved authenticated SQL injection and remote code execution, with the attacker having valid credentials for the portal.

The attacker’s tactics included using hard-coded credentials and bypassing the portal’s CAPTCHA by reading the expected value from the server-issued session cookie. Upon authentication, the attacker injected SQL into the document name field to exploit a vulnerability.

Remote Commandeering and Data Exfiltration

Analysis showed that the threat actor deployed the AdaptixC2 command-and-control (C2) framework to remotely control the compromised endpoint. Additionally, tools like OpenVPN and Ligolo were used to maintain persistent access to victim networks.

The attacker established a durable access layer using OpenVPN, Ligolo, and systemd persistence, enabling them to pivot into internal networks and extract a significant amount of Chinese railway-sector documents.

Multiple Third-Party Exploitation and Mitigation Efforts

Censys reported evidence of multiple third parties weaponizing the cPanel vulnerability within 24 hours of its public disclosure. This included deploying Mirai botnet variants and a ransomware strain known as Sorry.

Shadowserver Foundation data revealed that at least 44,000 IP addresses likely compromised through CVE-2026-41940 engaged in scanning and brute-force attacks against honeypots. This number decreased to 3,540 by May 3.

cPanel has released a new version of the detection script to address false positives. Users are advised to apply patches promptly and clean up their environments if indicators of compromise (IoCs) are detected.