A newly identified threat actor has been exploiting a critical cPanel vulnerability to target governmental and military networks in Southeast Asia, alongside managed service providers (MSPs) and hosting companies in multiple countries, including the Philippines, Laos, Canada, South Africa, and the United States. This activity, first observed by cybersecurity firm Ctrl-Alt-Intel on May 2, 2026, takes advantage of the vulnerability identified as CVE-2026-41940. This flaw in cPanel and WebHost Manager (WHM) allows attackers to bypass authentication, potentially granting them elevated control over the system.
Exploitation of cPanel Vulnerability
The attacks have been traced back to the IP address ‘95.111.250[.]175’, with a primary focus on governmental and military domains in the Philippines and Laos, as well as MSPs and hosting providers. The attackers utilize publicly available proof-of-concepts (PoCs) to execute their strategies. This aggressive exploitation underscores the critical nature of the CVE-2026-41940 vulnerability and its potential impact on sensitive networks.
In addition to targeting cPanel, the threat actor reportedly developed a separate exploit chain for an Indonesian defense sector training portal. This involved a combination of authenticated SQL injection and remote code execution, facilitated by previously obtained valid credentials. The attackers circumvented CAPTCHA security by extracting the expected value from the session cookie, thereby gaining unauthorized access to sensitive functionalities.
Advanced Command-and-Control Techniques
The threat actor has been utilizing the AdapdixC2 command-and-control (C2) framework to maintain control over compromised systems. Tools such as OpenVPN and Ligolo have been employed to ensure persistent access and to enable lateral movement within internal networks. This sophisticated access strategy allowed the attackers to exfiltrate a large volume of documents, particularly from the Chinese railway sector.
Despite the significant activity, the identity of the group behind these intrusions remains unknown. However, the rapid weaponization of the cPanel vulnerability is highlighted by Censys, which reported multiple third-party exploitation attempts, including the deployment of Mirai botnet variants and a ransomware strain named Sorry, shortly after the vulnerability’s disclosure.
Ongoing Impact and Future Threats
Data from the Shadowserver Foundation reveals that at least 44,000 IP addresses were likely compromised via CVE-2026-41940, actively engaging in scanning and brute-force attacks against honeypots as of April 30, 2026. By May 3, this number had decreased significantly to 3,540, indicating a reduction in active exploitation. The situation remains fluid, and organizations using cPanel are urged to implement necessary patches and security measures to protect their systems from ongoing threats.
The emergence of such a significant vulnerability in cPanel underscores the importance of timely software updates and the need for heightened vigilance in safeguarding sensitive networks. As cybersecurity threats continue to evolve, proactive measures and rapid responses are crucial to mitigating potential damages.
