Summary Points
- A new threat targeting government, military, MSPs, and hosting providers in Southeast Asia and other regions exploits CVE-2026-41940 in cPanel, leading to potential remote control compromises.
- Attackers have used multiple techniques, including a customized exploit chain against an Indonesian defense portal and publicly available PoCs for cPanel, to gain unauthorized access.
- The threat actor employs advanced tools like AdaptixC2, OpenVPN, Ligolo, and persistence methods to maintain access and exfiltrate sensitive data, including Chinese railway documents.
- Evidence suggests rapid weaponization of the vulnerability post-disclosure, with reports of mass scanning, brute-force attacks, and deployment of malware such as Mirai and ransomware variants.
Hackers Exploit Critical cPanel Flaw to Target Key Networks
Recently, a serious security flaw in cPanel and WebHost Manager (WHM) was exploited by cybercriminals. This vulnerability, identified as CVE-2026-41940, allows attackers to bypass authentication easily. As a result, they can take control of affected control panels remotely. The threat actor’s focus has been on government agencies, military sites, managed service providers, and hosting companies across several countries. This activity was first noticed on May 2, 2026, by a cybersecurity watchdog. It highlights how quickly cybercriminals adopt new weaknesses to target important infrastructure. The IP address used for these attacks is “95.111.250[.]175,” which mainly focuses on domains in the Philippines and Laos, along with some providers in Canada, South Africa, and the U.S. Evidence suggests that hackers are using publicly available tools to carry out their malicious plans. This rapid exploitation underscores the urgency for organizations to patch vulnerabilities immediately.
Advanced Tactics Used to Maintain Control and Steal Data
Moreover, the same threat actor employed a separate, complex attack chain against an Indonesian defense training portal. They used a combination of SQL injection and remote code execution, taking advantage of stolen credentials. The attacker bypassed firewalls and CAPTCHA protections by reading session cookies instead of solving challenges normally. Once inside, they manipulated document management features to inject malicious SQL code. Investigations reveal that the hackers set up a covert control system using tools like AdaptixC2, OpenVPN, and Ligolo, to stay inside victim networks for a long time. They used these tools to move freely and secretly exfiltrate sensitive documents, including files related to Chinese railway projects. Current evidence shows that at least some of these activities stem from multiple third-party groups, which rapidly began weaponizing the cPanel flaw after its public disclosure. As this situation evolves, experts advise affected organizations to update their systems without delay and monitor for signs of compromise.
Expand Your Tech Knowledge
Explore the future of technology with our detailed insights on Artificial Intelligence.
Access comprehensive resources on technology by visiting Wikipedia.
DataProtection-V1
