Critical cPanel Vulnerability Weaponized to Target Government and MSP Networks

Critical cPanel Vulnerability Weaponized to Target Government and MSP Networks Ravie LakshmananMay 04, 2026Vulnerability / Network Security A previously unknown threat actor has been observed targeting government and military entities in Southeast Asia, alongside a smaller cluster of managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S., by exploiting the recently disclosed vulnerability in cPanel. The activity, detected by Ctrl-Alt-Intel on May 2, 2026, involves the abuse of CVE-2026-41940, a critical vulnerability in cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control panel. The attack efforts have originated from the IP address "95.111.250[.]175," primarily singling out government and military domains associated with the Philippines (*.mil.ph and (*.ph)) and Laos (*.gov.la), as well as MSPs and hosting providers, using publicly-available proof-of-concepts (PoCs). In addition, Ctrl-Alt-Intel revealed that the threat actor used a separate custom exploit chain for an Indonesian defense sector training portal prior to the cPanel attacks, employing a combination of authenticated SQL injection and remote code execution. In this case, the attacker is said to have already been in possession of valid credentials to the portal in question. "The script uses hard-coded credentials and defeats the portal's CAPTCHA by reading the expected CAPTCHA value out of the server-issued session cookie rather than solving the challenge normally," Ctrl-Alt-Intel said. "Once authenticated and passing the CAPTCHA, the actor moves to a document-management function. The vulnerable parameter is the field used to save a document name, and the script injects SQL into that field when posting to the document-save endpoint." Further analysis has determined that the threat actor is using the AdaptixC2 command-and-control (C2) framework to remotely commandeer the compromised endpoint. Also used are tools like OpenVPN and Ligolo to facilitate persistent access to internal victim networks. "The actor built a durable access layer using OpenVPN, Ligolo, systemd persistence, and then used that access to pivot into an internal network and exfiltrate a substantial corpus of Chinese railway-sector documents," Ctrl-Alt-Intel added. It's currently not known who is behind the campaign, but the development comes as Censys said it uncovered evidence suggesting the cPanel vulnerability is being weaponized by multiple third-parties within 24 hours of public disclosure, including deploying Mirai botnet variants and a ransomware strain called Sorry. Per data from the Shadowserver Foundation, at least 44,000 IP addresses likely compromised via CVE-2026-41940 are said to have engaged in scanning and brute-force attacks against its honeypots on April 30, 2026. As of May 3, the figure has dropped to 3,540.  The development comes as cPanel has made available a new version of the detection script to help further remove additional false positives. Users are recommended to apply the patches as soon as possible and take steps to clean up the environment if indicators of compromise (IoCs) are detected. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  botnet, cybersecurity, data breach, Malware, network security, ransomware, Vulnerability, web hosting ⚡ Top Stories This Week Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories Vercel Finds More Compromised Accounts in Context.ai-Linked Breach Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack Chinese Silk Typhoon Hacker Extradited to U.S. Over COVID Research Cyberattacks Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking and More Load More ▼ ⭐ Featured Resources [Guide] How to Enable Secure Data Movement Without Added Risk [Webinar] Stop Chasing Alerts and Start Focusing on Real Exposures [Guide] Learn a Practical Framework to Evaluate AI Tools for Production Learn How Hidden Identity Blind Spots Weaken Your Security Systems