Hackers target governments and MSPs via critical cPanel flaw CVE-2026-41940

Pierluigi Paganini
May 04, 2026

Attackers exploit a critical cPanel flaw to target government and MSP networks across Southeast Asia and several countries, including the U.S. and Canada.

A threat actor is exploiting critical cPanel vulnerability CVE-2026-41940 to target government and military organizations in Southeast Asia, along with MSPs and hosting providers in countries like the Philippines, Laos, Canada, South Africa, and the U.S. The attacks highlight the rapid weaponization of newly disclosed flaws.

cPanel is a widely used web hosting control panel that lets users manage websites and servers through a graphical interface instead of command-line tools.

CVE-2026-41940 is an authentication bypass flaw affecting cPanel and WHM versions after 11.40. A weakness in the login flow allows remote attackers to skip or manipulate authentication checks, granting access to the control panel without valid credentials. This could let attackers manage hosting settings, access sensitive data, or take control of the server.

Cybersecurity experts at watchTowr first disclosed the flaw last week and released a tool to help defenders identify vulnerable hosts in their estates.

“As we stated above, in-the-wild exploitation has already begun, according to KnownHost.” reads the advisory by watchTowr. “Therefore, we’re releasing our Detection Artifact Generator to enable defenders to identify vulnerable hosts in their estates.”

According to the Shadowserver Foundation, thousands of instances may be exposed.

On May 2, 2026, researchers at Ctrl-Alt-Intel detected attacks exploiting CVE-2026-41940. The activity, linked to the IP address 95.111.250[.]175, targeted government and military domains in the Philippines and Laos, along with MSPs and hosting providers, using public PoCs (watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py, check_session.py).

“On 2nd May 2026, Ctrl-Alt-Intel identified an exposed attacker staging server that provided direct visibility into one such operation.” reads the report published by Ctrl-Alt-Intel. “From this infrastructure, we observed an unknown threat actor interactively targeting government and military entities in South-East Asia, alongside a smaller set of MSPs and hosting providers in the Philippines, Laos, Canada, South Africa, and the United States. “

The same actor also used a custom exploit chain against an Indonesian defense training portal, combining SQL injection and remote code execution, after obtaining valid credentials.

Leaked data links the threat actor to a custom exploit chain targeting an Indonesian defense training portal and to earlier theft of Chinese railway-sector data. The stolen information centers on the China Railway Society Electrification Committee and related groups, mapping technical, organizational, and personal details tied to rail infrastructure and CCP-aligned scientific networks.

Researchers pointed out that cPanel exploitation was only part of the attacker’s activity. The same actor developed a custom exploit chain against an Indonesian defense training portal, using valid credentials and bypassing CAPTCHA by reading values from session cookies.

They injected SQL into a document field, escalating it to remote code execution via PostgreSQL. The attack enabled command execution and file access, with results exfiltrated through the app. An AdaptixC2 malware payload was also identified, indicating active command-and-control operations.

Analysis of exposed payloads shows the attacker used AdaptixC2 for command and control, along with a PowerShell reverse shell. They built a persistent pivoting infrastructure using OpenVPN and Ligolo, creating tunnels and routes to access internal networks. Custom Linux services ensured long-term access.

The actor moved laterally into a Chinese network, interacting with internal systems and using scripts to exfiltrate data. Around 110 files (4.37GB) were stolen, including technical documents on railway electrification and sensitive personal data such as IDs, bank details, and phone numbers.

Overall, the operation combined C2 control, stealthy persistence, network pivoting, and targeted data theft.

Ctrl-Alt-Intel has not attributed the campaign to any specific actor or country. Although Vietnamese comments appeared in scripts and tools, they are not reliable evidence and may have been intentionally added to mislead analysts and obscure attribution.

“Although we do not make a firm attribution, the combination of victimology, post-compromise pivoting, and the nature of the exfiltrated data makes this activity more significant than routine opportunistic exploitation.” concludes the report. “The targeting of South-East Asian military and government infrastructure, combined with confirmed theft of Chinese transport-sector material, is consistent with a broad regional collection effort.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon