securityaffairs.com 5/4/2026, 8:12:08 PM · via preferred

cPanel auth bypass exploited in Asian gov, MSP attacks

cPanel auth bypass exploited in Asian gov, MSP attacks
Developing story vulnerability 8 articles tracked
Critical cPanel authentication bypass (CVE-2026-41940) exploited worldwide
CyberSIXT Evidence Panel
Primary Source labs.watchtowr.com
CISA KEV Listed in KEV
Patch Patch Available

ATTACKERS are exploiting a critical cPanel authentication bypass flaw, CVE-2026-41940, to target government and military organisations in Southeast Asia, along with MSPs and hosting providers in the Philippines, Laos, Canada, South Africa, and the United States. Cybersecurity experts at watchTowr first disclosed the flaw and released a tool to help defenders identify vulnerable hosts, with the advisory noting that in-the-wild exploitation has already begun, according to watchTowr.

Shadowserver Foundation says thousands of exposed instances may exist. On 2 May 2026, researchers at Ctrl-Alt-Intel detected attacks using public PoCs to target government and MSP networks, with activity linked to the IP 95.111.250[.]175 and aimed at government and military domains in the Philippines and Laos.

The operation involved an Indonesian defence training portal attack using a custom exploit chain, SQL injection, and remote code execution, and was accompanied by C2 activity with AdaptixC2 and a PowerShell reverse shell, plus persistence via OpenVPN and Ligolo. Ctrl-Alt-Intel noted that attribution to a specific actor or country has not been made.

View Primary Source Via securityaffairs.com

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline