A recent cyber attack has targeted the infrastructure of government and military entities in Southeast Asia. The breach began with the rapid exploitation of a critical cPanel authentication bypass vulnerability, leading to the infiltration of sensitive data from the Chinese railway sector.
Exploiting cPanel Vulnerabilities
The attackers utilized CVE-2026-41940, a severe flaw in cPanel and WHM software, which allowed unauthorized access. This vulnerability involved a CRLF injection in the login processes, enabling attackers to manipulate session cookies and gain administrative access without credentials.
Even before a patch was released on April 28, 2026, this flaw was actively exploited, prompting CISA to add it to the Known Exploited Vulnerabilities list. The breach was part of a larger operation discovered through a compromised command-and-control (C2) server.
Advanced Exploit Techniques
The attackers further exploited a custom vulnerability targeting an Indonesian defense portal. By using valid credentials and bypassing CAPTCHA through session cookie manipulation, they accessed sensitive systems. SQL injection techniques were then employed to escalate to operating system-level access.
This was achieved by leveraging PostgreSQL’s capabilities to execute arbitrary commands. The attackers captured command outputs and reintegrated them into the system using stealthy methods, making detection difficult.
Data Exfiltration and Persistence
To maintain access, the attackers used a combination of OpenVPN and Ligolo, ensuring persistent re-entry even after system reboots. They routed through a VPN server and installed proxy agents under hidden directories, disguising them as legitimate services.
Using these methods, approximately 4.37GB of sensitive documents were exfiltrated from the China Railway Society. The stolen data included financial workbooks containing personal information and state-related data, hinting at a targeted intelligence gathering effort.
Security organizations urge those using cPanel/WHM to upgrade to the latest versions and review server logs for any signs of compromise. The attack highlights the need for robust cybersecurity measures to protect sensitive infrastructure.
