May 4
/
Latest News
Global Cyber Offensive Exploits Critical cPanel Vulnerability to Target Governments
A sophisticated and previously unknown threat actor is launching a wide-ranging cyber campaign targeting government and military institutions across Southeast Asia and managed service providers (MSPs) globally. First detected on May 2, 2026, the attackers are exploiting CVE-2026-41940, a critical authentication bypass vulnerability in the cPanel and WebHost Manager (WHM) platforms. This flaw allows remote attackers to seize elevated control over web hosting environments, providing a gateway for deeper network penetration. While the Philippines and Laos have seen the most concentrated strikes on their military and government domains, the campaign has also reached hosting providers in Canada, South Africa, and the United States.
According to security researchers at Ctrl-Alt-Intel, the threat actor's methods extend beyond simple automated exploits. In one specific instance targeting an Indonesian defense portal, the group utilized a custom exploit chain involving SQL injection and remote code execution. By bypassing CAPTCHA challenges through session cookie manipulation and using hard-coded credentials, the attackers successfully moved into document management systems. Once inside, they deployed the AdaptixC2 framework alongside tools like OpenVPN and Ligolo to establish persistent access and pivot into internal networks. This maneuver recently resulted in the theft of a significant volume of Chinese railway-sector documents.
The identity of the group remains a mystery, but they are not the only ones capitalizing on the cPanel flaw. Security analysts have observed a "gold rush" of activity since the vulnerability was disclosed, with multiple actors deploying Mirai botnet variants and a new ransomware strain dubbed "Sorry." At its peak on April 30, nearly 44,000 compromised IP addresses were detected scanning the internet for victims. Although cPanel has released patches and detection scripts to mitigate the threat, experts urge administrators to immediately update their systems and conduct thorough environment cleanups to remove any lingering backdoors or indicators of compromise.
According to security researchers at Ctrl-Alt-Intel, the threat actor's methods extend beyond simple automated exploits. In one specific instance targeting an Indonesian defense portal, the group utilized a custom exploit chain involving SQL injection and remote code execution. By bypassing CAPTCHA challenges through session cookie manipulation and using hard-coded credentials, the attackers successfully moved into document management systems. Once inside, they deployed the AdaptixC2 framework alongside tools like OpenVPN and Ligolo to establish persistent access and pivot into internal networks. This maneuver recently resulted in the theft of a significant volume of Chinese railway-sector documents.
The identity of the group remains a mystery, but they are not the only ones capitalizing on the cPanel flaw. Security analysts have observed a "gold rush" of activity since the vulnerability was disclosed, with multiple actors deploying Mirai botnet variants and a new ransomware strain dubbed "Sorry." At its peak on April 30, nearly 44,000 compromised IP addresses were detected scanning the internet for victims. Although cPanel has released patches and detection scripts to mitigate the threat, experts urge administrators to immediately update their systems and conduct thorough environment cleanups to remove any lingering backdoors or indicators of compromise.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.