A previously unknown attacker was observed exploiting a recently disclosed cPanel vulnerability to target small clusters of managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the United States, as well as government and military organizations in Southeast Asia.
This activity, detected by Ctrl-Alt-Intel on May 2, 2026, involves exploitation of CVE-2026-41940, a critical vulnerability in cPanel and WebHost Manager (WHM) that could lead to authentication bypass and allow a remote attacker to gain advanced control of the control panel.
The attack took place from the IP address 95.111.250.[.]175” uses a publicly available proof of concept (PoC) to identify government and military domains, as well as MSPs and hosting providers, primarily related to the Philippines (*.mil.ph and (*.ph)) and Laos (*.gov.la).
Additionally, Ctrl-Alt-Intel revealed that prior to the cPanel attack, the attackers used another custom exploit chain against an Indonesian defense sector training portal using a combination of authenticated SQL injection and remote code execution. In this case, the attacker is said to already have valid credentials for the portal in question.
Ctrl-Alt-Intel said, “The script uses hard-coded credentials and disables the portal’s CAPTCHA by reading the expected CAPTCHA value from the server-issued session cookie, rather than resolving the challenge as usual.”
“Once authenticated and passing the CAPTCHA, the attacker moves to the document management functionality. The vulnerable parameter is the field used to store the document name, and the script injects SQL into that field when posting to the document storage endpoint.”
Further analysis revealed that the attackers were using the AdapdixC2 command and control (C2) framework to remotely take over compromised endpoints. Tools such as OpenVPN and Ligolo are also used to facilitate persistent access to the victim’s internal network.
“The attackers used OpenVPN, Ligolo, and systemd Persistence to build a durable access layer and used that access to infiltrate internal networks and exfiltrate a substantial corpus of documents from China’s railway sector,” Ctrl-Alt-Intel added.
While it is currently unclear who is behind this campaign, the development comes after Censys announced that it had found evidence suggesting the cPanel vulnerability was being weaponized by multiple third parties within 24 hours of its disclosure, including a variant of the Mirai botnet and the introduction of a ransomware strain called Sorry.
At least 44,000 IP addresses potentially compromised by CVE-2026-41940 are said to have conducted scans and brute force attacks against honeypots on April 30, 2026, according to data from the Shadowserver Foundation. As of May 3, that number had dropped to 3,540.
Source link
