Unknown actor exploits cPanel flaw targeting SE Asian militaries

Researchers at Ctrl-Alt-Intel detected on May 2, 2026 an unknown actor exploiting CVE-2026-41940, a critical authentication-bypass flaw in cPanel and WebHost Manager, to access hosting control panels. The activity was traced to IP address 95.111.250[.]175 and focused on Philippine and Lao military and government domains as well as several managed service providers and hosting companies in the Philippines, Laos, Canada, South Africa and the United States.

The attacker used publicly available proof-of-concept exploits for CVE-2026-41940 to gain elevated control of affected control panels. Targets included domains under *.mil.ph and other .ph addresses in the Philippines and *.gov.la sites in Laos, alongside MSP and hosting provider accounts.

Before the cPanel intrusions, the same actor compromised an Indonesian defense-sector training portal with a separate exploit chain that combined an authenticated SQL injection and remote code execution. The intruder already had valid credentials for the portal and ran a script with hard-coded logins that bypassed the portal’s CAPTCHA by reading the expected CAPTCHA value from the server-issued session cookie. After authenticating, the actor injected SQL into a document-save field to execute code on the server.

Ctrl-Alt-Intel noted: “The script uses hard-coded credentials and defeats the portal’s CAPTCHA by reading the expected CAPTCHA value out of the server-issued session cookie rather than solving the challenge normally. Once authenticated and passing the CAPTCHA, the actor moves to a document-management function. The vulnerable parameter is the field used to save a document name, and the script injects SQL into that field when posting to the document-save endpoint.”

After gaining access, the actor deployed the AdapdixC2 command-and-control framework and used OpenVPN and Ligolo to maintain persistent connections and move into internal networks. The attacker established systemd-based persistence and used the access to extract a substantial set of documents related to the Chinese railway sector.

Ctrl-Alt-Intel added: “The actor built a durable access layer using OpenVPN, Ligolo, systemd persistence, and then used that access to pivot into an internal network and exfiltrate a substantial corpus of Chinese railway-sector documents.”

Security telemetry showed rapid weaponization of the cPanel flaw. One researcher found evidence that multiple parties began exploiting CVE-2026-41940 within 24 hours of its public disclosure, including deployments of Mirai botnet variants and a ransomware strain called Sorry. Shadowserver Foundation telemetry recorded about 44,000 IP addresses likely compromised via the vulnerability scanning and attempting brute-force attacks against its honeypots on April 30, 2026; that number fell to roughly 3,540 by May 3.

Administrators are advised to apply vendor patches for cPanel and WHM, review access logs for activity from suspicious addresses such as 95.111.250[.]175, and inspect systems for persistence indicators including modified systemd services, OpenVPN or Ligolo tunnels, and unusual outbound connections to unknown command-and-control hosts.