{"id":238878,"date":"2026-05-04T05:27:00","date_gmt":"2026-05-04T09:27:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/04\/critical-cpanel-vulnerability-weaponized-to-target-government-and-msp-networks\/"},"modified":"2026-05-04T07:50:07","modified_gmt":"2026-05-04T11:50:07","slug":"critical-cpanel-vulnerability-weaponized-to-target-government-and-msp-networks","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/04\/critical-cpanel-vulnerability-weaponized-to-target-government-and-msp-networks\/","title":{"rendered":"Critical cPanel Vulnerability Weaponized to Target Government and MSP Networks"},"content":{"rendered":"

Critical cPanel Vulnerability Weaponized to Target Government and MSP Networks<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/05\/critical-cpanel-vulnerability.html<\/a><\/p>\n

Publish Date: 2026-05-04 05:27:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

\ue804Ravie Lakshmanan<\/span>\ue802May 04, 2026<\/span><\/span>Vulnerability \/ Network Security<\/span><\/p>\n

A previously unknown threat actor has been observed targeting government and military entities in Southeast Asia, alongside a smaller cluster of managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S., by exploiting the recently disclosed vulnerability in cPanel.<\/p>\n

The activity, detected by Ctrl-Alt-Intel on May 2, 2026, involves the abuse of CVE-2026-41940, a critical vulnerability in cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control panel.<\/p>\n

The attack efforts have originated from the IP address “95.111.250[.]175,” primarily singling out government and military domains associated with the Philippines (*.mil.ph and (*.ph)) and Laos (*.gov.la), as well as MSPs and hosting providers, using publicly-available\u00a0proof-of-concepts (PoCs).<\/p>\n

In addition, Ctrl-Alt-Intel revealed that the threat actor used a separate custom exploit chain for an Indonesian defense sector training portal prior to the cPanel attacks, employing a combination of authenticated SQL injection and remote code execution. In this case, the attacker is said to have already been in possession of valid credentials to the portal in question.<\/p>\n

“The script uses hard-coded credentials and defeats the portal’s CAPTCHA by reading the expected CAPTCHA value out of the server-issued session cookie rather than solving the challenge normally,” Ctrl-Alt-Intel said.<\/p>\n

“Once authenticated and passing the CAPTCHA, the actor moves to a document-management function. The vulnerable parameter is the field used to save a document name, and the script injects SQL into that field when posting to the document-save endpoint.”<\/p>\n

\"\"<\/p>\n

Further analysis has determined that the threat actor is using the AdaptixC2 command-and-control (C2) framework to remotely commandeer the compromised endpoint. Also used are tools like…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Critical cPanel Vulnerability Weaponized to Target Government and MSP Networks https:\/\/thehackernews.com\/2026\/05\/critical-cpanel-vulnerability.html Publish Date: 2026-05-04 05:27:00…<\/p>\n","protected":false},"author":1,"featured_media":238879,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhlgjtQddA9U3D-xf2UWj5GKV2R5tEwjqWWY9fwRQi_fZgG5tf140uw2P4oVfmcvPZcMYuFDo1mvqYKkgKSmgfBxVloaWTrN7vgPiH1FX8ivdh8PFBN9LvfJF13a0ajbXDLEV20pr9d2rSoQo4KWbDYSpSOFJYoPYDHizXQ3tYNGVhhysD8h3FWWpOkHytN\/s1600\/ccc.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[31,29,34,27],"class_list":["post-238878","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-exploit","tag-network-security","tag-threat-actor","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/238878"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=238878"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/238878\/revisions"}],"predecessor-version":[{"id":238880,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/238878\/revisions\/238880"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/238879"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=238878"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=238878"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=238878"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}