2026-05-04 00:00
β BackA previously unknown threat actor has been observed targeting government and military entities in Southeast Asia, alongside a smaller cluster of managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S., by exploiting the recently disclosed vulnerability in cPanel. The activity,detectedby Ctrl-Alt-Intel on May 2, 2026, involves the abuse ofCVE-2026-41940, a critical vulnerability in cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control panel. The attack efforts have originated from the IP address "95.111.250[.]175," primarily singling out government and military domains associated with the Philippines (*.mil.ph and (*.ph)) and Laos (*.gov.la), as well as MSPs and hosting providers, usingpublicly-availableproof-of-concepts(PoCs). In addition, Ctrl-Alt-Intel revealed that the threat actor used a separate custom exploit chain for an Indonesian defense sector training portal prior to the cPanel attacks, employing a combination of authenticated SQL injection and remote code execution. In this case, the attacker is said to have already been in possession of valid credentials to the portal in question. "The script uses hard-coded credentials and defeats the portal's CAPTCHA by reading the expected CAPTCHA value out of the server-issued session cookie rather than solving the challenge normally," Ctrl-Alt-Intel said. "Once authenticated...
A previously unknown threat actor has been observed targeting government and military entities in Southeast Asia, alongside a smaller cluster of managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S., by exploiting the recently disclosed vulnerability in cPanel. The activity,detectedby Ctrl-Alt-Intel on May 2, 2026, involves the abuse ofCVE-2026-41940, a critical vulnerability in cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control panel. The attack efforts have originated from the IP address "95.111.250[.]175," primarily singling out government and military domains associated with the Philippines (*.mil.ph and (*.ph)) and Laos (*.gov.la), as well as MSPs and hosting providers, usingpublicly-availableproof-of-concepts(PoCs). In addition, Ctrl-Alt-Intel revealed that the threat actor used a separate custom exploit chain for an Indonesian defense sector training portal prior to the cPanel attacks, employing a combination of authenticated SQL injection and remote code execution. In this case, the attacker is said to have already been in possession of valid credentials to the portal in question. "The script uses hard-coded credentials and defeats the portal's CAPTCHA by reading the expected CAPTCHA value out of the server-issued session cookie rather than solving the challenge normally," Ctrl-Alt-Intel said. "Once authenticated and passing the CAPTCHA, the actor moves to a document-management function. The vulnerable parameter is the field used to save a document name, and the script injects SQL into that field when posting to the document-save endpoint." Further analysis has determined that the threat actor is using theAdaptixC2command-and-control (C2) framework to remotely commandeer the compromised endpoint.
Also used are tools like OpenVPN and Ligolo to facilitate persistent access to internal victim networks. "The actor built a durable access layer using OpenVPN, Ligolo, systemd persistence, and then used that access to pivot into an internal network and exfiltrate a substantial corpus of Chinese railway-sector documents," Ctrl-Alt-Intel added. It's currently not known who is behind the campaign, but the development comes as Censys said ituncoveredevidence suggesting the cPanel vulnerability is being weaponized by multiple third-parties within 24 hours of public disclosure, including deployingMirai botnet variantsand a ransomware strain called Sorry. Per data from the Shadowserver Foundation, at least 44,000 IP addresses likely compromised via CVE-2026-41940 are said to haveengagedin scanning and brute-force attacks against its honeypots on April 30, 2026. As of May 3, the figure hasdroppedto 3,540. The development comes as cPanel has made available anew versionof the detection script to help further remove additional false positives. Users are recommended to apply the patches as soon as possible and take steps toclean up the environmentif indicators of compromise (IoCs) are detected. Learn how to stop patient zero attacks before they bypass detection and compromise your systems at entry points.
Learn how to validate real attack paths and reduce exploitable risk with continuous agentic security validation. Get the latest news, expert insights, exclusive resources, and strategies from industry leaders, all for free.