Critical cPanel Vulnerability CVE-2026-41940 Actively Exploited Against Southeast Asian Governments and MSPs

TL;DR A previously unknown threat actor has exploited CVE-2026-41940, a critical authentication bypass in cPanel and WHM, to target government and military domains in the Philippines and Laos, as well as MSPs and hosting providers across multiple countries. The vulnerability was weaponized by multiple threat actors within 24 hours of disclosure, with at least 44,000 IP addresses showing signs of compromise by April 30, 2026. Organizations running affected cPanel installations should patch immediately and scan for indicators of compromise.

What happened

On May 2, 2026, Ctrl-Alt-Intel detected active exploitation of CVE-2026-41940 originating from the IP address 95.111.250.175. The campaign targeted government and military entities in Southeast Asia—specifically Philippine (*.mil.ph and .ph) and Laotian (.gov.la) domains—alongside managed service providers and hosting infrastructure in the Philippines, Laos, Canada, South Africa, and the U.S. The attacker leveraged publicly available proof-of-concept code to conduct the initial compromise wave.

Prior to the cPanel exploitation, the same threat actor deployed a custom exploit chain against an Indonesian defense sector training portal. The attack combined authenticated SQL injection and remote code execution; the attacker already possessed valid credentials to the target system. The exploit script bypassed the portal's CAPTCHA protection by extracting the expected CAPTCHA value from server-issued session cookies rather than solving the challenge, then injected SQL through the document-name field when posting to the document-save endpoint.

Once inside compromised networks, the threat actor established persistent access using the AdaptixC2 command-and-control framework, OpenVPN, Ligolo, and systemd persistence mechanisms. From the Indonesian portal compromise, the actor pivoted internally and exfiltrated a substantial corpus of Chinese railway-sector documents.

Broader weaponization followed quickly: Censys identified evidence that multiple third-party threat actors began exploiting CVE-2026-41940 within 24 hours of public disclosure. These secondary campaigns deployed Mirai botnet variants and a ransomware strain named Sorry.

Shadowserver Foundation data shows that at least 44,000 IP addresses displaying signs of compromise via CVE-2026-41940 engaged in scanning and brute-force attacks against Shadowserver honeypots on April 30, 2026. This figure declined to 3,540 by May 3, 2026.

Why it matters

CVE-2026-41940 grants unauthenticated remote attackers elevated control of cPanel and WHM control panels. For hosting providers, MSPs, and organizations running cPanel, this represents direct access to server administration interfaces without credential validation. The speed of weaponization—within 24 hours—reflects the severity and ease of exploitation. The targeting of Southeast Asian government and military infrastructure elevates the risk profile for regional critical systems. The secondary deployment of Mirai variants and ransomware indicates that commodity threat actors are also leveraging this vector for botnet recruitment and extortion.

For SOC teams and system administrators in MENA and adjacent regions, this vulnerability demands immediate prioritization. Any cPanel or WHM instance accessible to untrusted networks is at risk. The demonstrated persistence tactics (systemd, tunneling tools, custom C2) suggest that detection must extend beyond initial compromise signals to include lateral movement and data exfiltration patterns.

Affected systems and CVEs

cPanel and WebHost Manager (WHM): CVE-2026-41940

What to do

Apply patches for CVE-2026-41940 as soon as possible.
Use cPanel's updated detection script to identify compromised systems and reduce false positives.
Scan systems and networks for indicators of compromise; clean up affected environments immediately.
Monitor for persistence mechanisms: systemd services, OpenVPN configurations, Ligolo processes, and AdaptixC2 communication.
Review authentication logs and session records on cPanel instances for unauthorized access during the window of April 28–May 3, 2026.

Open questions

The identity of the primary threat actor behind the campaign remains unknown.
The total number of victims compromised across all targets has not been disclosed.
The full scope of data exfiltration beyond the Chinese railway-sector documents is unclear.
Current remediation status across affected government, military, and commercial organizations in the region is not reported.
The extent of network access and persistence achieved by the threat actor across compromised infrastructure is not fully characterized.