News & Alerts

Hackers Exploit Critical cPanel Flaw to Breach Governments and Hosting Firms

The threat actor also used a prior custom exploit chain involving SQL injection and CAPTCHA bypass against an Indonesian defense training portal before pivoting to cPanel attacks.

CSBadmin
CSBadmin
2 Min Read

Attack Targets Governments and MSPs

A previously unknown threat actor has been observed launching targeted attacks against government and military entities in Southeast Asia, as well as managed service providers (MSPs) and hosting companies in the Philippines, Laos, Canada, South Africa, and the United States. The attackers are exploiting a recently disclosed critical vulnerability in cPanel and WebHost Manager (WHM). The activity was first detected by Ctrl-Alt-Intel on May 2, 2026. The attacks originate from the IP address 95.111.250.175 and primarily focus on Philippine military domains (*.mil.ph) and Laotian government domains (*.gov.la).

Contents
Attack Targets Governments and MSPsExploit Chain and Persistence MethodsBroader Weaponization and Recommendations

Exploit Chain and Persistence Methods

The vulnerability exploited is CVE-2026-41940 (https://cve.org/CVE-2026-41940), a critical authentication bypass flaw that allows remote attackers to gain elevated control over the control panel. The threat actor used publicly available proof-of-concept code to compromise targets. Before the cPanel attacks, the same actor used a custom exploit chain against an Indonesian defense sector training portal, combining authenticated SQL injection and remote code execution. The actor possessed valid credentials for that portal and defeated its CAPTCHA by reading the expected value from the server issued session cookie. After gaining initial access, the attackers deploy the AdaptixC2 command-and-control framework, along with OpenVPN and Ligolo, to establish persistent access and pivot into internal networks. They successfully exfiltrated a large collection of Chinese railway sector documents.

Broader Weaponization and Recommendations

Multiple third parties have begun weaponizing CVE-2026-41940 within 24 hours of its public disclosure. Censys reported that attackers are deploying Mirai botnet variants and a ransomware strain called Sorry. According to the Shadowserver Foundation, approximately 44,000 IP addresses engaged in scanning and brute force attacks against their honeypots on April 30, 2026. By May 3, that number dropped to 3,540. cPanel has released an updated detection script to reduce false positives. Users are strongly advised to apply patches immediately and clean their environments if indicators of compromise are found.

Source: Thehackernews

CSBadmin

The latest in cybersecurity news and updates.

TAGGED:
Share This Article
ByCSBadmin
Follow:
The latest in cybersecurity news and updates.
Previous Article AI Coding Tools Fuel a New Wave of Low Skill High Impact Cyber Attacks
Next Article Attackers Abuse Legitimate RMM Tools to Breach 80 US Organizations

Trending

Related Stories

CSBadmin

Ransomware Group Harvests Remote Desktop Logins from Victim Systems

CSBadmin

Silk Typhoon Operator Extradited for Hacking COVID Research Institutions

CSBadmin

New Spyware Platform Lets Buyers Rebrand and Resell Android Surveillance Malware

CSBadmin

Cybercriminals Exploit X’s Grok AI to Spread Malicious Links in New “Grokking” Campaign