[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ffPJ7wPGO2W5qtuzKo-X8GclUOeZws4tRdXES68mev2Y":3},{"article":4,"iocs":54},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"a20a5c39-f423-4404-9fd4-35991335293e","Critical cPanel Vulnerability Weaponized to Target Government and MSP Networks","critical-cpanel-vulnerability-weaponized-to-target-government-and-msp-networks-cf23c5","A previously unknown threat actor has been observed targeting government and military entities in Southeast Asia, alongside a smaller cluster of managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S., by exploiting the recently disclosed vulnerability in cPanel. The activity, detected by Ctrl-Alt-Intel on May 2, 2026, involves the","A previously unknown threat actor has been actively exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel\u002FWHM, to target government and military entities in Southeast Asia (Philippines, Laos) as well as MSPs and hosting providers across multiple countries. The attacker used the AdaptixC2 C2 framework along with OpenVPN and Ligolo for persistence, and exfiltrated Chinese railway-sector documents. Multiple third-party threat actors, including operators of Mirai botnet variants and the Sorry ransomware strain, have also weaponized the vulnerability within 24 hours of public disclosure, with an estimated 44,000 compromised IP addresses detected.","Unknown threat actor exploits critical cPanel vulnerability to target Southeast Asian governments and MSPs.","Critical cPanel Vulnerability Weaponized to Target Government and MSP Networks Ravie LakshmananMay 04, 2026Vulnerability \u002F Network Security A previously unknown threat actor has been observed targeting government and military entities in Southeast Asia, alongside a smaller cluster of managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S., by exploiting the recently disclosed vulnerability in cPanel. The activity, detected by Ctrl-Alt-Intel on May 2, 2026, involves the abuse of CVE-2026-41940, a critical vulnerability in cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control panel. The attack efforts have originated from the IP address \"95.111.250[.]175,\" primarily singling out government and military domains associated with the Philippines (*.mil.ph and (*.ph)) and Laos (*.gov.la), as well as MSPs and hosting providers, using publicly-available proof-of-concepts (PoCs). In addition, Ctrl-Alt-Intel revealed that the threat actor used a separate custom exploit chain for an Indonesian defense sector training portal prior to the cPanel attacks, employing a combination of authenticated SQL injection and remote code execution. In this case, the attacker is said to have already been in possession of valid credentials to the portal in question. \"The script uses hard-coded credentials and defeats the portal's CAPTCHA by reading the expected CAPTCHA value out of the server-issued session cookie rather than solving the challenge normally,\" Ctrl-Alt-Intel said. \"Once authenticated and passing the CAPTCHA, the actor moves to a document-management function. The vulnerable parameter is the field used to save a document name, and the script injects SQL into that field when posting to the document-save endpoint.\" Further analysis has determined that the threat actor is using the AdaptixC2 command-and-control (C2) framework to remotely commandeer the compromised endpoint. Also used are tools like OpenVPN and Ligolo to facilitate persistent access to internal victim networks. \"The actor built a durable access layer using OpenVPN, Ligolo, systemd persistence, and then used that access to pivot into an internal network and exfiltrate a substantial corpus of Chinese railway-sector documents,\" Ctrl-Alt-Intel added. It's currently not known who is behind the campaign, but the development comes as Censys said it uncovered evidence suggesting the cPanel vulnerability is being weaponized by multiple third-parties within 24 hours of public disclosure, including deploying Mirai botnet variants and a ransomware strain called Sorry. Per data from the Shadowserver Foundation, at least 44,000 IP addresses likely compromised via CVE-2026-41940 are said to have engaged in scanning and brute-force attacks against its honeypots on April 30, 2026. As of May 3, the figure has dropped to 3,540. The development comes as cPanel has made available a new version of the detection script to help further remove additional false positives. Users are recommended to apply the patches as soon as possible and take steps to clean up the environment if indicators of compromise (IoCs) are detected. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  botnet, cybersecurity, data breach, Malware, network security, ransomware, Vulnerability, web hosting ⚡ Top Stories This Week Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages Vercel Finds More Compromised Accounts in Context.ai-Linked Breach ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking and More Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 Chinese Silk Typhoon Hacker Extradited to U.S. Over COVID Research Cyberattacks Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately ⭐ Featured Resources [Webinar] Stop Chasing Alerts and Start Focusing on Real Exposures [Guide] How to Enable Secure Data Movement Without Added Risk Learn How Hidden Identity Blind Spots Weaken Your Security Systems [Guide] Learn a Practical Framework to Evaluate AI Tools for Production","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fcritical-cpanel-vulnerability.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEhlgjtQddA9U3D-xf2UWj5GKV2R5tEwjqWWY9fwRQi_fZgG5tf140uw2P4oVfmcvPZcMYuFDo1mvqYKkgKSmgfBxVloaWTrN7vgPiH1FX8ivdh8PFBN9LvfJF13a0ajbXDLEV20pr9d2rSoQo4KWbDYSpSOFJYoPYDHizXQ3tYNGVhhysD8h3FWWpOkHytN\u002Fs1600\u002Fccc.jpg","2026-05-04T09:27:00+00:00","2026-05-04T12:00:19.303663+00:00",9,[18,21,23,26,28,31],{"name":19,"type":20},"cPanel","product",{"name":22,"type":20},"WebHost Manager (WHM)",{"name":24,"type":25},"OpenVPN","technology",{"name":27,"type":25},"Ligolo",{"name":29,"type":30},"Ctrl-Alt-Intel","vendor",{"name":32,"type":30},"Censys","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":33,"icon":35,"name":36,"slug":37},null,"Vulnerabilities","vulnerabilities",[39,44,49],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":45},{"id":46,"icon":35,"name":47,"slug":48},"574f766a-fb3f-487c-8d2c-0720ae75471b","Zero-day","zero-day",{"category":50},{"id":51,"icon":35,"name":52,"slug":53},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",[55,59,63,67,70],{"type":56,"value":57,"context":58},"ip","95.111.250.175","Threat actor C2\u002Fattack origin IP targeting government and MSP networks",{"type":60,"value":61,"context":62},"cve","CVE-2026-41940","Critical cPanel\u002FWHM authentication bypass vulnerability actively exploited",{"type":64,"value":65,"context":66},"malware","AdaptixC2","C2 framework used by primary threat actor for command and control",{"type":64,"value":68,"context":69},"Mirai","Botnet variant deployed by third-party actors exploiting CVE-2026-41940",{"type":64,"value":71,"context":72},"Sorry","Ransomware strain weaponizing CVE-2026-41940"]