The critical CVE-2026-41940 vulnerability in cPanel/WHM is already being used not only by mass botnets and ransomware operators, but also in targeted attacks against military and government resources in Southeast Asia, as well as managed service and hosting providers in several countries. Organizations exposing cPanel to the internet must immediately apply updates and conduct a retrospective compromise assessment going back at least to 30 April 2026.
Technical details of the campaign and vulnerability
The observed attacks are based on the critical CVE-2026-41940 vulnerability in cPanel and WebHost Manager (WHM), which allows authentication bypass and elevated control over the control panel. Details of the vulnerability are available in the NVD entry: CVE-2026-41940 description in NVD. According to researchers, publicly available proof-of-concept (PoC) exploit code is already being used, which significantly lowers the barrier to entry for attackers.
Targets and attacker infrastructure
Researchers have observed activity since 2 May 2026 originating from IP address 95.111.250[.]175. The attacks were focused on:
- military and defense-related domains in the Philippines (
*.mil.phand other*.phdomains), - government resources in Laos (
*.gov.la), - managed service providers and hosting providers in the Philippines, Laos, Canada, South Africa, and the United States.
Exploitation of CVE-2026-41940 essentially corresponds to the Exploit Public-Facing Application (T1190) technique in MITRE ATT&CK, where a vulnerable external management panel is used as an entry point into the internal infrastructure.
Separate attack chain against an Indonesian defense portal
Before exploiting CVE-2026-41940, the same actor, according to researchers, attacked a training portal in Indonesia’s defense sector using a separate, custom chain combining authenticated SQL injection and remote code execution. Key aspects of this chain:
- the attacker already possessed valid portal credentials (Valid Accounts, T1078),
- the automated script contained hard-coded credentials and bypassed the CAPTCHA by reading the expected value from the server session cookie instead of solving the visual challenge,
- after authentication, a document management function was used; the vulnerable parameter was the one used to store the document name. The script injected SQL code into this parameter when calling the document save endpoint, which led to arbitrary command execution on the server.
This approach demonstrates a combination of tactics: use of legitimate credentials, abuse of authentication/protection logic (CAPTCHA), and subsequent escalation via SQL injection and remote code execution.
Persistence and lateral movement
After successful compromise, the attacker used several layers of remote control and access tools:
- the AdapdixC2 framework for remote management of compromised hosts (building their own command-and-control infrastructure),
- OpenVPN and Ligolo to establish persistent tunnels into the victim’s network and enable movement within the infrastructure (Proxy (T1090) and related MITRE ATT&CK techniques),
- persistence via systemd (adding services that start at system boot), corresponding to the Boot or Logon Autostart Execution (T1547) technique.
Researchers note that on top of these mechanisms, a “robust access layer” was built, which allowed the attacker to move into the internal network and exfiltrate a significant volume of documents related to China’s railway sector.
Mass exploitation: Mirai and ransomware
In parallel with the targeted attacks, according to Censys, the CVE-2026-41940 vulnerability was adopted by several independent groups within 24 hours of public disclosure, including for:
- deploying Mirai botnet variants,
- distributing ransomware known as Sorry.
The Shadowserver Foundation reported that at least 44,000 IP addresses, likely compromised via CVE-2026-41940, were observed performing scanning and credential guessing against their honeypot systems on 30 April 2026; by 3 May, the number of such IPs had dropped to 3,540. This indicates a rapid but largely short-lived wave of mass exploitation that may have led to wide propagation of secondary attacks (botnets, password guessing, further scanning).
Assessment of scale and impact
Based on the data presented, several levels of risk can be distinguished.
Highest risk — for cPanel/WHM operators and their customers
- Hosting providers and MSPs. Compromise of a single cPanel/WHM panel can mean access to numerous customer accounts and websites. In the case of managed service providers, this becomes a supply chain security problem: through a single provider, an attacker can potentially gain access to the infrastructure of dozens or hundreds of organizations.
- Government agencies and the defense sector. The observed targeted scanning and exploitation of *.mil.ph and *.gov.la domains demonstrates interest in defense and government data in the Southeast Asia region, with the potential for further lateral movement and theft of sensitive information.
- Other industries. The incident involving exfiltration of documents from China’s railway sector via an Indonesian defense portal shows that compromise of a single system can provide access to information belonging to entirely different industries and countries.
Potential consequences of inaction
- Full takeover of servers running cPanel. An authentication bypass combined with public PoCs gives an attacker the ability to quickly obtain administrative control over the panel and, in many cases, over the underlying operating system.
- Prolonged stealthy presence. Use of OpenVPN, Ligolo and systemd-based persistence enables the creation of durable channels into the victim’s network that are difficult to distinguish from legitimate administration.
- Combination of cyber espionage and criminal schemes. The same vulnerabilities are simultaneously being used for extortion (Sorry), botnet creation (Mirai), and targeted document theft. This complicates incident analysis: a compromised server may be part of several independent attack chains at once.
Practical recommendations for defense and response
1. Immediate inventory and updating of cPanel/WHM
- Compile a list of all externally accessible servers running cPanel and WHM, including subsidiary brands, resellers, and test environments.
- Compare versions and patch status with the information on CVE-2026-41940 from the NVD and official cPanel documentation.
- Install all available security updates that address CVE-2026-41940, prioritizing servers with external exposure.
2. Temporary reduction of exposure
- Restrict access to cPanel/WHM by IP (allowlist) or move panel access behind a VPN segment, eliminating direct access from the internet.
- Where technically feasible, ensure that the panel cannot be accessed from public Wi‑Fi and anonymizing services.
- Disable unused plugins and modules that increase the attack surface.
3. Hunting for signs of compromise
Given that mass exploitation has already occurred, you should assume a possible breach and perform a retrospective analysis, especially for the period starting 30 April 2026.
Review of network activity
- Analyze firewall and proxy logs for:
- outbound connections to suspicious hosts, especially if initiated from servers running cPanel/WHM;
- long-lived or frequently reestablished sessions resembling VPN or tunneling traffic (OpenVPN, Ligolo) originating from servers that do not normally initiate such connections.
- If NDR/IDS tools are available, configure rules to detect atypical VPN tunnels and tunneling tools (Ligolo and similar, within the Proxy (T1090) tactic).
Host inspection
- Check for:
- new or modified systemd unit files, especially those launching unknown binaries or scripts at system startup;
- traces of OpenVPN and Ligolo installation in unusual directories;
- added user accounts or SSH keys without a documented reason.
- Review authentication logs and the panel activity log for:
- suspect logins, especially from IP address 95.111.250[.]175 or other previously unseen addresses;
- mass creation or modification of accounts, changes to backup settings, installation of new plugins.
4. Hardening web portals and business logic
The Indonesian defense portal case shows that compromise can also occur without CVE-2026-41940, via a combination of leaked credentials, vulnerable business logic, and SQL injection. The following is recommended:
- avoid storing or transmitting CAPTCHA values in client-accessible cookies or other parameters that can be read in the browser;
- test authentication and form business logic (including document management functions) for SQL injection and other injection vulnerabilities;
- strictly limit database account privileges: even in the event of SQL injection, an attacker should not be able to execute commands outside the database;
- strengthen monitoring of valid account usage (zero trust approach, anomalies in geolocation, time of day, and type of operations).
5. Actions for MSPs and hosting providers
- Assess whether compromised cPanel/WHM panels could have given attackers access to customer resources; if suspicious activity is found, notify customers and assist with their internal investigation.
- Segment management infrastructure and customer environments so that a panel compromise has minimal impact on the rest of the network.
- Reevaluate the trust model for staff credentials with privileged access to cPanel/WHM, considering the Valid Accounts (T1078) technique.
The main takeaway: CVE-2026-41940 in cPanel/WHM has already moved from being a “new vulnerability” to an actively exploited issue in both criminal and targeted operations. Organizations exposing cPanel to the internet must not only apply updates immediately but also conduct a retrospective investigation focusing on the period from 30 April 2026, checking for signs of panel exploitation as well as the presence of tunnels (OpenVPN, Ligolo) and system-level persistence via systemd on compromised servers.
