Critical cPanel Vulnerability Actively Exploited Against Government and MSP Infrastructure
- May 4
- 3 min read
Key Findings
Unknown threat actor exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel and WHM, targeting government and military entities in Southeast Asia
Attack infrastructure originating from IP address 95.111.250[.]175, primarily focusing on Philippines and Laos government and military domains
Concurrent targeting of MSPs and hosting providers across Philippines, Laos, Canada, South Africa, and the United States using publicly available proof-of-concepts
Same actor employed custom exploit chain against Indonesian defense sector training portal using SQL injection and remote code execution
Stolen data includes approximately 110 files totaling 4.37GB from Chinese railway sector organizations, containing technical and sensitive personal information
AdaptixC2 command-and-control framework used for remote access, combined with OpenVPN and Ligolo for persistent network tunneling
Activity detected May 2, 2026, following public vulnerability disclosure, indicating rapid weaponization
Background
CVE-2026-41940 affects cPanel and WebHost Manager versions after 11.40, allowing remote attackers to bypass authentication mechanisms and gain elevated control of the control panel. The vulnerability was first disclosed by watchTowr researchers and immediately exploited in the wild. cPanel is a widely used graphical interface for managing websites and servers, making it a high-value target for attackers seeking access to multiple hosted environments simultaneously.
Initial Attack Vector
The threat actor leveraged publicly available proof-of-concept exploits to systematically target vulnerable cPanel installations. Ctrl-Alt-Intel researchers discovered an exposed attacker staging server that provided direct visibility into the operation, revealing interactive targeting patterns suggesting manual reconnaissance and exploitation efforts rather than fully automated attacks.
Indonesian Defense Portal Exploitation
Prior to the cPanel campaign, the same actor developed a sophisticated custom exploit chain targeting an Indonesian defense sector training portal. The attacker possessed valid credentials to the system and defeated the portal's CAPTCHA protection by extracting expected values from session cookies rather than solving challenges legitimately. Once authenticated, the actor injected SQL code into a document-naming field on the document-save endpoint, escalating access to remote code execution capabilities.
Command and Control Infrastructure
The threat actor established durable access using AdaptixC2 as the primary command-and-control framework, supplemented by OpenVPN and Ligolo networking tools. These tools enabled persistent access and lateral movement within compromised networks. Custom systemd persistence mechanisms were deployed to maintain access across system reboots.
Chinese Railway Data Theft
Analysis of exfiltrated materials revealed approximately 4.37GB of stolen data related to the China Railway Society Electrification Committee and affiliated organizations. The dataset included technical documents on railway electrification systems alongside sensitive personal information including identification numbers, banking details, and contact information tied to CCP-aligned scientific networks.
Attribution and Broader Context
The threat actor remains unattributed to any specific nation or group. While Vietnamese language artifacts appeared in attack scripts, researchers considered these unreliable for attribution purposes, potentially representing deliberate misdirection. The combination of targeting Southeast Asian military and government infrastructure while exfiltrating Chinese transport sector data suggests a coordinated regional intelligence collection effort.
Industry Impact and Wider Exploitation
Within 24 hours of CVE-2026-41940 public disclosure, Censys documented evidence of multiple threat actors weaponizing the vulnerability. Deployments included Mirai botnet variants and a ransomware strain called Sorry. Shadowserver Foundation data indicated approximately 44,000 IP addresses likely compromised through the vulnerability were engaged in scanning and brute-force attacks against honeypots as of April 30, with the figure declining to 3,540 by May 3.
Remediation Recommendations
Organizations running vulnerable cPanel versions should prioritize applying available patches immediately. cPanel released updated detection scripts to help identify compromised systems with reduced false positives. Network defenders should investigate for indicators of compromise and conduct thorough environment cleanup, including scanning for AdaptixC2 payloads, unauthorized VPN configurations, and persistence mechanisms using systemd services.
Sources
https://thehackernews.com/2026/05/critical-cpanel-vulnerability.html
https://securityaffairs.com/191666/breaking-news/hackers-target-governments-and-msps-via-critical-cpanel-flaw-cve-2026-41940.html
https://www.socdefenders.ai/item/b8b9a4bf-d48e-4f6f-9233-badcfa20f7de
https://www.cypro.se/2026/05/04/critical-cpanel-vulnerability-weaponized-to-target-government-and-msp-networks/
https://www.linkedin.com/posts/the-cyber-security-hub_critical-cpanel-vulnerability-weaponized-activity-7457140184976003073-fBjm
https://www.linkedin.com/posts/stamper_critical-cpanel-vulnerability-weaponized-activity-7457083638757830656-5SMj

Comments