A critical vulnerability in cPanel and WebHost Manager WHM is being actively exploited by a previously unidentified threat actor to target government, military, and managed service provider networks across multiple regions. The vulnerability, tracked as CVE 2026 41940, allows authentication bypass and enables attackers to gain elevated control over affected systems. The activity was first detected on May 2 2026 by cybersecurity researchers at Ctrl Alt Intel, who observed coordinated exploitation attempts affecting organizations in Southeast Asia as well as entities in the Philippines, Laos, Canada, South Africa, and the United States.
The campaign has primarily focused on government and military domains in the Philippines and Laos, alongside a smaller group of hosting providers and MSPs. Attack traffic has been traced to an IP address identified as 95.111.250.175, with attackers leveraging publicly available proof of concept exploits shortly after the vulnerability was disclosed. The rapid weaponization of CVE 2026 41940 indicates a high level of interest among threat actors in exploiting widely used infrastructure management platforms. By bypassing authentication controls, attackers can gain unauthorized administrative access to hosting environments, potentially enabling further compromise, data access, and service disruption across critical systems.
Further investigation by Ctrl Alt Intel revealed that the same threat actor had previously targeted an Indonesian defense sector training portal using a custom exploit chain prior to launching the cPanel attacks. In that instance, the attacker already possessed valid credentials and combined authenticated SQL injection with remote code execution techniques to compromise the system. The exploit chain included bypassing CAPTCHA protections by extracting expected values directly from session cookies, allowing automated access without solving the challenge. Once authenticated, the attacker injected malicious SQL commands into a document management function by manipulating the document name parameter, leading to deeper system access and control over application level processes.
The analysis also found that the threat actor deployed the AdaptixC2 command and control framework to maintain remote access to compromised systems. Additional tools such as OpenVPN and Ligolo were used to establish persistence and facilitate movement within internal networks. This access enabled the actor to exfiltrate a significant volume of sensitive data, including documents related to the Chinese railway sector. The use of multiple tools for persistence and lateral movement highlights a structured approach to maintaining long term access within targeted environments while expanding the scope of compromise beyond initial entry points.
Researchers have also identified broader exploitation of the same vulnerability by multiple threat actors within a short time frame following its disclosure. Data from Censys indicates that different groups have leveraged CVE 2026 41940 to deploy Mirai botnet variants and a ransomware strain identified as Sorry. Observations from the Shadowserver Foundation revealed that approximately 44000 IP addresses were likely compromised and engaged in scanning and brute force activity against monitored systems on April 30 2026. By May 3 the number had decreased to 3540, suggesting ongoing but fluctuating exploitation levels. In response, cPanel has released an updated detection script to reduce false positives and assist organizations in identifying affected systems. Security experts recommend immediate patching of vulnerable installations and thorough investigation of environments for indicators of compromise to limit further risk exposure.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
