Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

CPanel authentication-bypass and persistent-access campaign targeting Southeast Asia

Campaign
First reported
Last updated
Happening score
H score 58
1 unique sources, 1 articles

Summary

Hide ▲

A previously unknown threat actor ran a cPanel authentication-bypass campaign that combined public exploit code and custom access tooling to reach government, military, MSP, and hosting targets across Southeast Asia and beyond. The activity mattered because it paired initial access, persistence, and internal pivoting, raising the risk of follow-on compromise and collection. The same access layer was later used to exfiltrate Chinese railway-sector documents from an internal network.

Cases

CVE-2026-41940 exploitation pushes cPanel and WHM remediation (6)

Related Happenings

CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)

Exploitation Wave
First: 04.05.2026 11:25 Last: 04.05.2026 11:25 Sources 1

How related: Per data from the Shadowserver Foundation, at least 44,000 IP addresses likely compromised via CVE-2026-41940 are said to have engaged in scanning and brute-force attacks against its honeypots on April 30, 2026.

About this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...

Open Happening

CPanel and WHM authentication bypass (CVE-2026-41940)

Vulnerability
First: 29.04.2026 12:37 Last: 29.04.2026 12:37 Sources 1

How related: The activity, detected by Ctrl-Alt-Intel on May 2, 2026, involves the abuse of CVE-2026-41940, a critical vulnerability in cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control panel.

About this happening: **cPanel and WHM** are affected by **CVE-2026-41940**, an **authentication bypass** in the login flow that can let **unauthenticated remote attackers** gain control-panel access....

Open Happening

Timeline

  1. 04.05.2026 12:27 1 articles · 23d ago

    CVE-2026-41940 honeypot scanning and brute force

    Detection Ioc Update

    At least 44,000 IP addresses likely compromised via CVE-2026-41940 in cPanel / WebHost Manager (WHM) engaged in scanning and brute-force attacks against Shadowserver honeypots, showing early opportunistic abuse of the authentication-bypass flaw.

    Show sources
    Open in new tab
  2. 04.05.2026 12:27 1 articles · 23d ago

    CVE-2026-41940 targeted exploitation against government and MSP domains

    Exploitation Observed

    A previously unknown threat actor used publicly-available proof-of-concepts for CVE-2026-41940 from 95.111.250[.]175 to target government and military domains tied to the Philippines (*.mil.ph and (*.ph)) and Laos (*.gov.la), plus MSPs and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S., in an attempt to gain elevated control of cPanel / WebHost Manager (WHM).

    Show sources
    Open in new tab
  3. 04.05.2026 12:27 2 articles · 23d ago

    Persistent-access tooling and remediation guidance

    Technical Analysis Update

    Further analysis linked the campaign against cPanel / WebHost Manager (WHM) to a separate custom exploit chain against an Indonesian defense sector training portal that used authenticated SQL injection and remote code execution, and showed the compromised endpoint being controlled with AdaptixC2 while OpenVPN, Ligolo, and systemd persistence supported internal pivoting and exfiltration of Chinese railway-sector documents; cPanel also released a new version of the detection script and recommended patching and IoC cleanup.

    Show sources
    Open in new tab