Ethical Hacking News
Hackers have been exploiting a critical vulnerability in cPanel, allowing them to target governments, military organizations, and managed service providers across Southeast Asia and beyond. Organizations are urged to take immediate action to patch their systems and prevent potential attacks.
Hackers have exploited a critical vulnerability in cPanel to target governments, military organizations, and managed service providers in Southeast Asia. The vulnerability (CVE-2026-41940) allows remote attackers to gain access to the control panel without valid credentials. Thousands of instances may be exposed to this vulnerability, including government and military domains, as well as MSPs and hosting providers. Attackers have used a custom exploit chain against multiple targets, combining SQL injection and remote code execution to gain access. The attackers have stolen sensitive data, including technical documents and personal information from Chinese and Indonesian networks.
Hackers have been exploiting a critical vulnerability in cPanel, a widely used web hosting control panel, to target governments, military organizations, and managed service providers (MSPs) across Southeast Asia and several countries. The vulnerability, identified as CVE-2026-41940, is an authentication bypass flaw that allows remote attackers to gain access to the control panel without valid credentials.
The attack vector used by hackers is based on a custom exploit chain that takes advantage of the vulnerability in cPanel versions after 11.40. Once inside the control panel, hackers can manage hosting settings, access sensitive data, and even take control of the server. The attacks have been linked to an IP address of 95.111.250[.]175, which is believed to be a staging server used by the attackers.
According to researchers at Ctrl-Alt-Intel, thousands of instances may be exposed to this vulnerability, including government and military domains in Southeast Asia, as well as MSPs and hosting providers in countries such as the Philippines, Laos, Canada, South Africa, and the United States. The attacks are considered more significant than routine opportunistic exploitation due to the targeting of high-value targets.
The attackers have also used a custom exploit chain against an Indonesian defense training portal, combining SQL injection and remote code execution to gain access to the system. Once inside, they injected SQL into a document field, escalating it to remote code execution via PostgreSQL. This allowed them to execute commands, access files, and exfiltrate data through the app.
Analysis of exposed payloads shows that the attackers used AdaptixC2 for command and control, along with a PowerShell reverse shell. They built a persistent pivoting infrastructure using OpenVPN and Ligolo, creating tunnels and routes to access internal networks. Custom Linux services ensured long-term access to the compromised systems.
The attackers have also moved laterally into a Chinese network, interacting with internal systems and using scripts to exfiltrate data. Around 110 files (4.37GB) were stolen, including technical documents on railway electrification and sensitive personal data such as IDs, bank details, and phone numbers.
Researchers point out that the cPanel exploitation was only part of the attacker's activity. The same actor developed a custom exploit chain against an Indonesian defense training portal, using valid credentials and bypassing CAPTCHA by reading values from session cookies.
The attacks highlight the rapid weaponization of newly disclosed flaws, and cybersecurity experts are urging organizations to take immediate action to patch their systems. WatchTowr first disclosed the flaw last week and released a tool to help defenders identify vulnerable hosts in their estates.
In light of these events, it is essential for organizations to assess their own vulnerability to this critical cPanel flaw. Failure to do so may result in compromised systems and sensitive data exposure.
Related Information:
https://www.ethicalhackingnews.com/articles/Critical-cPanel-Flaw-Exposed-Hackers-Target-Governments-and-MSPs-Across-Southeast-Asia-and-Beyond-ehn.shtml
https://securityaffairs.com/191666/breaking-news/hackers-target-governments-and-msps-via-critical-cpanel-flaw-cve-2026-41940.html
https://thehackernews.com/2026/05/critical-cpanel-vulnerability.html
https://nvd.nist.gov/vuln/detail/CVE-2026-41940
https://www.cvedetails.com/cve/CVE-2026-41940/
Published: Mon May 4 15:57:04 2026 by llama3.2 3B Q4_K_M
