ATTACKERS are exploiting a critical cPanel authentication bypass flaw, CVE-2026-41940, to target government and military organisations in Southeast Asia, along with MSPs and hosting providers in the Philippines, Laos, Canada, South Africa, and the United States. Cybersecurity experts at watchTowr first disclosed the flaw and released a tool to help defenders identify vulnerable hosts, with the advisory noting that in-the-wild exploitation has already begun, according to watchTowr.
Shadowserver Foundation says thousands of exposed instances may exist. On 2 May 2026, researchers at Ctrl-Alt-Intel detected attacks using public PoCs to target government and MSP networks, with activity linked to the IP 95.111.250[.]175 and aimed at government and military domains in the Philippines and Laos.
The operation involved an Indonesian defence training portal attack using a custom exploit chain, SQL injection, and remote code execution, and was accompanied by C2 activity with AdaptixC2 and a PowerShell reverse shell, plus persistence via OpenVPN and Ligolo. Ctrl-Alt-Intel noted that attribution to a specific actor or country has not been made.