Attackers exploit a critical cPanel flaw to target government and MSP networks across Southeast Asia and several countries, including the U.S. and Canada.

A threat actor is exploiting critical cPanel vulnerability CVE-2026-41940 to target government and military organizations in Southeast Asia, along with MSPs and hosting providers in countries like the Philippines, Laos, Canada, South Africa, and the U.S. The attacks highlight the rapid weaponization of newly disclosed flaws.

cPanel is a widely used web hosting control panel that lets users manage websites and servers through a graphical interface instead of command-line tools.

CVE-2026-41940 is an authentication bypass flaw affecting cPanel and WHM versions after 11.40. A weakness in the login flow allows remote attackers to skip or manipulate authentication checks, granting access to the control panel without valid credentials. This could let attackers manage hosting settings, access sensitive data, or take control of the server.

Cybersecurity experts at watchTowr first disclosed the flaw last week and released a tool to help defenders identify vulnerable hosts in their estates.

“As we stated above, in-the-wild exploitation has already begun, according to KnownHost.” reads the advisory by watchTowr. “Therefore, we’re releasing our Detection Artifact Generator to enable defenders to identify vulnerable hosts in their estates.”

According to the Shadowserver Foundation, thousands of instances may be exposed.

On May 2, 2026, researchers at Ctrl-Alt-Intel detected attacks exploiting CVE-2026-41940. The activity, linked to the IP address 95.111.250[.]175, targeted government and military domains in the Philippines and Laos, along with MSPs and hosting providers, using public PoCs (watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py, check_session.py).

“On 2nd May 2026, Ctrl-Alt-Intel identified an exposed attacker staging server that provided direct visibility into one such operation.” reads the report published by Ctrl-Alt-Intel. “From this infrastructure, we observed an unknown threat actor interactively targeting government and military entities in South-East Asia, alongside a smaller set of MSPs and hosting providers in the Philippines, Laos, Canada, South Africa, and the United States. “

The same actor also used a custom exploit chain against an Indonesian defense training portal, combining SQL injection and remote code execution, after obtaining valid credentials.

Leaked data links the threat actor to a custom exploit chain targeting an Indonesian defense training portal and to earlier theft of Chinese railway-sector data. The stolen information centers on the China Railway Society Electrification Committee and related groups, mapping technical, organizational, and personal details tied to rail infrastructure and CCP-aligned scientific networks.

Researchers pointed out that cPanel exploitation was only part of the attacker’s activity. The same actor developed a custom exploit chain against an Indonesian defense training portal, using valid credentials and bypassing CAPTCHA by reading values from session cookies.

They injected SQL into a document field, escalating it to remote code execution via PostgreSQL. The attack enabled command execution and file access, with results exfiltrated through the app. An AdaptixC2 malware payload was also identified, indicating active command-and-control operations.

Analysis of exposed payloads shows the attacker used AdaptixC2 for command and control, along with a PowerShell reverse shell. They built a persistent pivoting infrastructure using OpenVPN and Ligolo, creating tunnels and routes to access internal networks. Custom Linux services ensured long-term access.

The actor moved laterally into a Chinese network, interacting with internal systems and using scripts to exfiltrate data. Around 110 files (4.37GB) were stolen, including technical documents on railway electrification and sensitive personal data such as IDs, bank details, and phone numbers.

Overall, the operation combined C2 control, stealthy persistence, network pivoting, and targeted data theft.

Ctrl-Alt-Intel has not attributed the campaign to any specific actor or country. Although Vietnamese comments appeared in scripts and tools, they are not reliable evidence and may have been intentionally added to mislead analysts and obscure attribution.

“Although we do not make a firm attribution, the combination of victimology, post-compromise pivoting, and the nature of the exfiltrated data makes this activity more significant than routine opportunistic exploitation.” concludes the report. “The targeting of South-East Asian military and government infrastructure, combined with confirmed theft of Chinese transport-sector material, is consistent with a broad regional collection effort.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2026-41940)

The post The CVE Watchtower: Weekly Threat Intelligence Briefing (April 27 – May 3, 2026) appeared first on Daily CyberSecurity.

The post 44,000 IPs Hijacked: cPanel’s 9.8 CVSS Authentication Bypass Triggers Global Ransomware Surge appeared first on Daily CyberSecurity.

Security researchers are warning about a newly discovered vulnerability in the widely used web server management software cPanel and WebHost Manager (WHM). 

This is a critical, actively exploited authentication-bypass bug in cPanel/WHM that lets attackers gain administrative access to the interface without credentials, potentially take over servers and all hosted sites.

The vulnerability, tracked as CVE-2026-41940, has been added to the Known Exploited Vulnerabilities catalog by the Cybersecurity and Infrastructure Security Agency (CISA), meaning there is evidence it is being used in real-world attacks.

Because cPanel/WHM is used by over a million sites worldwide, including banks and health organizations, the potential impact is huge. In simple terms, the bug can act like a front‑door key to a big chunk of the web’s hosting infrastructure.

cPanel released patches on April 28, 2026, and urged all customers and hosts to update. It said all supported versions after 11.40 are affected, including DNSOnly and WP Squared.

Hosting providers including Namecheap, HostGator, and KnownHost temporarily blocked access to cPanel interfaces while patching, treating this as a critical authentication bypass and reporting exploit attempts going back to late February 2026.

How to stay safe

While it’s up to the hosting companies and website owners to patch as quickly as possible, there are ways to reduce your risk if a site you use is compromised.

As always, limit the data you share with websites to what’s absolutely necessary. Data they don’t have can’t be stolen.

When ordering from an online retailer, don’t tick the box to save your card details for future purchases as they will be stored on the server.

If there’s an option to check out as a guest, use it. It reduces the amount of personal data tied to an account.

Don’t reuse passwords. When one site is compromised, having the same credentials in several places turns it into a multi‑account takeover problem. A password manager can help you create complex unique passphrases, and remember them for you.

Where possible, pay by credit card. In many regions, this gives you stronger fraud protection.

Your details are probably already for sale. 

FIND OUT HERE

When a site you trust gets hacked

If you think you’ve been affected by a data breach, take the following steps:

• Check the company’s advice. Every breach is different, so check with the company to find out what’s happened and follow any specific advice it offers.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for impersonators. The thieves may contact you posing as the breached platform. Check the official website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to let sites remember your card details, but it increases risk if a retailer suffers a breach.
• Set up identity monitoring, which alerts you if your personal information is found being traded illegally online and helps you recover after.

Affected Versions and Patch Releases 

• 11.86.0.41  
• 11.110.0.97  
• 11.118.0.63  
• 11.126.0.54  
• 11.130.0.19  
• 11.132.0.29  
• 11.134.0.20  
• 11.136.0.5  

/scripts/upcp --force 

Immediate Mitigation Steps for CVE-2026-41940 

Detection Script and Indicators of Compromise 

• Identification of session files containing both token_denied and cp_security_token, which strongly suggests exploitation attempts.
• Detection of pre-authentication sessions containing authenticated attributes.
• Sessions marked with tfa_verified but lacking legitimate origin markers.
• Multi-line password values, indicating possible session file corruption.

• Purge all affected sessions  
• Force password resets for root and all WHM users  
• Audit system logs, such as /var/log/wtmp and WHM access logs  
• Investigate persistence mechanisms like cron jobs, SSH keys, or backdoors  

Industry Response and Ongoing Monitoring 

Urgency Around Updating cPanel Systems