{"id":791,"date":"2026-05-04T10:42:48","date_gmt":"2026-05-04T10:42:48","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=791"},"modified":"2026-05-04T10:42:48","modified_gmt":"2026-05-04T10:42:48","slug":"critical-cpanel-vulnerability-weaponized-to-target-government-and-msp-networks","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=791","title":{"rendered":"Critical cPanel Vulnerability Weaponized to Target Government and MSP Networks"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>May 04, 2026<\/span><\/span>Vulnerability \/ Network Security<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

A previously unknown threat actor has been observed targeting government and military entities in Southeast Asia, alongside a smaller cluster of managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S., by exploiting the recently disclosed vulnerability in cPanel.<\/p>\n

The activity, detected<\/a> by Ctrl-Alt-Intel on May 2, 2026, involves the abuse of CVE-2026-41940, a critical vulnerability in cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control panel.<\/p>\n

The attack efforts have originated from the IP address \u00ab95.111.250[.]175,\u00bb primarily singling out government and military domains associated with the Philippines (*.mil.ph and (*.ph)) and Laos (*.gov.la), as well as MSPs and hosting providers, using publicly-available<\/a>\u00a0proof-of-concepts<\/a> (PoCs).<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

In addition, Ctrl-Alt-Intel revealed that the threat actor used a separate custom exploit chain for an Indonesian defense sector training portal prior to the cPanel attacks, employing a combination of authenticated SQL injection and remote code execution. In this case, the attacker is said to have already been in possession of valid credentials to the portal in question.<\/p>\n

\u00abThe script uses hard-coded credentials and defeats the portal’s CAPTCHA by reading the expected CAPTCHA value out of the server-issued session cookie rather than solving the challenge normally,\u00bb Ctrl-Alt-Intel said.<\/p>\n

\u00abOnce authenticated and passing the CAPTCHA, the actor moves to a document-management function. The vulnerable parameter is the field used to save a document name, and the script injects SQL into that field when posting to the document-save endpoint.\u00bb<\/p>\n

\"\"<\/a><\/div>\n

Further analysis has determined that the threat actor is using the AdapdixC2 command-and-control (C2) framework to remotely commandeer the compromised endpoint. Also used are tools like OpenVPN and Ligolo to facilitate persistent access to internal victim networks.<\/p>\n

\u00abThe actor built a durable access layer using OpenVPN, Ligolo, systemd persistence, and then used that access to pivot into an internal network and exfiltrate a substantial corpus of Chinese railway-sector documents,\u00bb Ctrl-Alt-Intel added.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

It’s currently not known who is behind the campaign, but the development comes as Censys said it uncovered<\/a> evidence suggesting the cPanel vulnerability is being weaponized by multiple third-parties within 24 hours of public disclosure, including deploying Mirai botnet variants and a ransomware strain called Sorry.<\/p>\n

Per data from the Shadowserver Foundation, at least 44,000 IP addresses likely compromised via CVE-2026-41940 are said to have engaged<\/a> in scanning and brute-force attacks against its honeypots on April 30, 2026. As of May 3, the figure has dropped<\/a> to 3,540.\u00a0<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802May 04, 2026Vulnerability \/ Network Security A previously unknown threat actor has been observed targeting government and military entities in Southeast Asia, alongside a smaller cluster of managed service…<\/p>\n","protected":false},"author":1,"featured_media":792,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1465,58,385,486,280,492,68,1509],"class_list":["post-791","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-cpanel","tag-critical","tag-government","tag-msp","tag-networks","tag-target","tag-vulnerability","tag-weaponized"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/791","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=791"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/791\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/792"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=791"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=791"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=791"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}