Security Alert: CVE-2026-41940 turns cPanel / WHM into an intrusion vector against governments and MSPs

On May 2, 2026, researchers at Ctrl-Alt-Intel detected an active campaign that explores critical vulnerability in cPanel / WHM, registered as CVE-2026-41940, to unify authentication and high control of host management panels. According to the report, the offensive effort started from the IP address 95.11.250,175 and had as target major government and military domains of South-East Asia - including domains associated with the Philippines (* .mil.ph, * .ph) and Laos (* .gov.la) - in addition to a small group of managed service providers (MSP) and hosting providers in the Philippines, Laos, Canada, South Africa and the United States.

The campaign was not limited to the use of public PoC for CVE-2026-41940: Ctrl-Alt-Intel documented a previous attack aimed at a defence sector training portal in Indonesia in which the opponent already had valid credentials and used a custom encapsulation of SQL injection authenticated and remote code execution. This attack included a CAPTCHA bypass - reading the expected value from the session cookie - and the SQL injection in the parameter used to save the name of a document, which facilitates the climb to remote execution in the target application.

The engagement chain also reveals a sophisticated operating pattern: the attackers deployed the command and control framework AdapdixC2 and tools such as OpenVPN and Ligolo to maintain persistent access and pivote into internal networks, as well as create persistence at the system level. In at least one case they have exfiltered a significant volume of documentation from the Chinese railway sector, which underlines the nature of the campaign's intelligence collection.

The speed with which these failures have been exploited is of particular concern. Censys reported that multiple third parties began to weaponize vulnerability in less than 24 hours after its public disclosure, with deployments associated with variants of the Mirai botnet and a strain of Ransomware called Sorry. For its part, Shadowserver reported that up to 44,000 IP addresses committed by CVE-2026-41940 performed scans and brute force attacks against honeypots on 30 April 2026, which fell to 3,540 on 3 May, suggesting an initial massive wave followed by partial containment or tactical change.

The implications are multiple and serious. First of all, MSP and hosting providers become amplification vectors: successful control of a cPanel / WHM panel can give access to tens or hundreds of customers, turning a vulnerability into a supply chain risk. Secondly, the combination of techniques (stolen or reused credentials, CAPTCHA bypass based on cookies, public exploits and custom chains) points to actors with the ability to mix public toolkits and tailor-made developments, making it difficult to attribute and accelerate the dissemination of the explosion. Finally, early exploitation by different actors indicates that vulnerability is becoming a commodity: low and high-sophistication attackers are using it for different purposes, from botnets to exfiltration and ransomware.

For security teams and system managers, urgent actions are clear: first, immediately apply cPanel / WHM patches and official updates and validate that the deployed versions do not contain the reported bypass route. If it is not possible to park immediately, it is recommended to restrict access to WHM with firewall rules (allowing access only from specific administrative PIs), disable unnecessary remote access and move management ports outside public access. In addition, changing and forcing the rotation of administrative credentials, activating multifactor authentication (MFA) in panels and attached systems, and auditioning SSH keys and certificates are essential measures.

In the detection and response, priority should be given to the search for associated indicators: to review web logs for attempts to operate the document-keeping endpoint, suspicious SQL chains, sessions that make CAPTCHA bypass reading cookies, the presence of webshells, new systemd units created by external actors, OpenVPN tunnels or Ligolo connections, and traffic to / from 95.11.250,175 or other suspicious domains. Organizations should implement behavior detection (EDR / NDR), conduct searches of IoCs in backups and isolated systems, and consider the rotation of credentials and certificates if there are signs of commitment. If abnormal activity is identified, isolating the affected system and activating an incident response plan with evidence retention is critical.

MSP and hosting providers, for their part, must implement additional controls: strict segmentation between customer accounts, monitoring of changes in account configuration, freezing of unauthorized scripts in documentary management areas and periodic forensic scans. It is also recommended to share indicators with communities and organizations such as Shadowserver to take advantage of scanning and correlation data, and consult trend analysis on platforms such as Censys to view the activity of weaponization on the Internet. The official notices and bulletins of the supplier (e.g. cPanel releases) should be consulted on a continuous basis to apply manufacturer-recommended mitigation, available on its news and security channel.

In short, the combination of a critical vulnerability of hosting management, the focus on government objectives and MSP, and the speed with which the explosion has become a third party tool create a high risk scenario. The response should be both technical and operational: immediate patching and hardening, active search for commitment indicators, isolation of affected machines, notification to relevant customers and authorities, and strengthening of controls at supplier level to prevent a single failure point from resulting in cascade commitments.