A beforehand unknown risk actor has been noticed focusing on authorities and army entities in Southeast Asia, alongside a smaller cluster of managed service suppliers (MSPs) and internet hosting suppliers within the Philippines, Laos, Canada, South Africa, and the U.S., by exploiting the lately disclosed vulnerability in cPanel.
The exercise, detected by Ctrl-Alt-Intel on Could 2, 2026, entails the abuse of CVE-2026-41940, a essential vulnerability in cPanel and WebHost Supervisor (WHM) that would lead to an authentication bypass and permit distant attackers to realize elevated management of the management panel.
The assault efforts have originated from the IP handle “95.111.250[.]175,” primarily singling out authorities and army domains related to the Philippines (*.mil.ph and (*.ph)) and Laos (*.gov.la), in addition to MSPs and internet hosting suppliers, utilizing publicly-available proof-of-concepts (PoCs).
As well as, Ctrl-Alt-Intel revealed that the risk actor used a separate customized exploit chain for an Indonesian protection sector coaching portal previous to the cPanel assaults, using a mixture of authenticated SQL injection and distant code execution. On this case, the attacker is claimed to have already been in possession of legitimate credentials to the portal in query.
“The script makes use of hard-coded credentials and defeats the portal’s CAPTCHA by studying the anticipated CAPTCHA worth out of the server-issued session cookie slightly than fixing the problem usually,” Ctrl-Alt-Intel mentioned.
“As soon as authenticated and passing the CAPTCHA, the actor strikes to a document-management perform. The weak parameter is the sphere used to avoid wasting a doc identify, and the script injects SQL into that subject when posting to the document-save endpoint.”
Additional evaluation has decided that the risk actor is utilizing the AdapdixC2 command-and-control (C2) framework to remotely commandeer the compromised endpoint. Additionally used are instruments like OpenVPN and Ligolo to facilitate persistent entry to inside sufferer networks.
“The actor constructed a sturdy entry layer utilizing OpenVPN, Ligolo, systemd persistence, after which used that entry to pivot into an inside community and exfiltrate a considerable corpus of Chinese language railway-sector paperwork,” Ctrl-Alt-Intel added.
It is presently not identified who’s behind the marketing campaign, however the improvement comes as Censys mentioned it uncovered proof suggesting the cPanel vulnerability is being weaponized by a number of third-parties inside 24 hours of public disclosure, together with deploying Mirai botnet variants and a ransomware pressure referred to as Sorry.
Per knowledge from the Shadowserver Basis, no less than 44,000 IP addresses seemingly compromised by way of CVE-2026-41940 are mentioned to have engaged in scanning and brute-force assaults towards its honeypots on April 30, 2026. As of Could 3, the determine has dropped to three,540.
