CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Active exploitation of cPanel authentication bypass (CVE-2026-41940) by unknown actor targeting government and MSP networks

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

An unknown threat actor is actively exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel and WHM, to compromise government, military, and MSP networks in multiple regions. The campaign has used a custom exploit chain against an Indonesian defense sector training portal via SQL injection and RCE, followed by weaponization of the cPanel flaw to gain elevated control of control panels. Activities originated from IP 95.111.250[.]175 and included the use of AdapdixC2 C2, OpenVPN, and Ligolo for persistence and lateral movement, with evidence of exfiltration of Chinese railway-sector documents. The campaign’s scope and persistence indicate a sophisticated, likely state-aligned or experienced adversary targeting high-value infrastructure.

Timeline

  1. 04.05.2026 12:27 1 articles · 2h ago

    Weaponization of cPanel authentication bypass (CVE-2026-41940) observed in multi-region government and MSP compromise campaign

    Active exploitation of CVE-2026-41940 began by May 2, 2026, coinciding with public disclosure. An unknown actor deployed a custom SQLi+RCE chain against an Indonesian defense portal, then pivoted to cPanel control-panel compromise using the same origin IP (95.111.250[.]175). The threat actor used AdapdixC2, OpenVPN, Ligolo, and systemd persistence to maintain access and exfiltrate Chinese railway-sector documents. Shadowserver data indicates rapid global scanning activity peaking at 44,000 IPs on April 30, 2026, then declining to 3,540 by May 3, 2026.

    Show sources
    Open in new tab

Information Snippets