Hackers target governments and MSPs via critical cPanel flaw CVE-2026-41940
Hackers target governments and MSPs via critical cPanel flaw CVE-2026-41940
Publish Date: 2026-05-04 15:13:00
Source Domain: securityaffairs.com
Hackers target governments and MSPs via critical cPanel flaw CVE-2026-41940
Pierluigi Paganini
May 04, 2026
Attackers exploit a critical cPanel flaw to target government and MSP networks across Southeast Asia and several countries, including the U.S. and Canada.
A threat actor is exploiting critical cPanel vulnerability CVE-2026-41940 to target government and military organizations in Southeast Asia, along with MSPs and hosting providers in countries like the Philippines, Laos, Canada, South Africa, and the U.S. The attacks highlight the rapid weaponization of newly disclosed flaws.
cPanel is a widely used web hosting control panel that lets users manage websites and servers through a graphical interface instead of command-line tools.
CVE-2026-41940 is an authentication bypass flaw affecting cPanel and WHM versions after 11.40. A weakness in the login flow allows remote attackers to skip or manipulate authentication checks, granting access to the control panel without valid credentials. This could let attackers manage hosting settings, access sensitive data, or take control of the server.
Cybersecurity experts at watchTowr first disclosed the flaw last week and released a tool to help defenders identify vulnerable hosts in their estates.
“As we stated above, in-the-wild exploitation has already begun, according to KnownHost.” reads the advisory by watchTowr. “Therefore, we’re releasing our Detection Artifact Generator to enable defenders to identify vulnerable hosts in their estates.”
According to the Shadowserver Foundation, thousands of instances may be exposed.
On May 2, 2026, researchers at Ctrl-Alt-Intel detected attacks exploiting CVE-2026-41940. The activity, linked to the IP address 95.111.250[.]175, targeted government and military domains in the Philippines and Laos, along with MSPs and hosting providers, using public PoCs…
