Hackers Used Critical cPanel Flaw in Campaign Targeting Government and Military Servers
5 min. read 
Published on
Security researchers have linked the recently patched cPanel and WHM vulnerability CVE-2026-41940 to a broader campaign targeting government and military infrastructure in Southeast Asia.
The campaign reportedly combined fast exploitation of the cPanel authentication bypass with custom tools, persistence mechanisms, and data theft from systems tied to regional defense and transport-sector information.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Ctrl-Alt-Intel said the operation also led to the theft of about 4.37GB of documents from the China Railway Society Electrification Committee. The researchers stopped short of naming a specific threat actor.
What makes this campaign important
CVE-2026-41940 is a critical cPanel and WHM authentication bypass flaw. It affects cPanel software, including DNSOnly, in versions after 11.40.
Successful exploitation can give an unauthenticated attacker unauthorized administrative access to the affected control panel. That can expose websites, databases, mailboxes, credentials, and server configuration data.
cPanel issued emergency patches on April 28, 2026. CISA later added the vulnerability to its Known Exploited Vulnerabilities catalog, which confirms exploitation in the wild.
At a glance
| Detail | Information |
|---|---|
| CVE | CVE-2026-41940 |
| Affected products | cPanel and WHM, DNSOnly, and WP Squared |
| Severity | Critical, CVSS 9.8 |
| Main issue | Authentication bypass in the login flow |
| Campaign target | Southeast Asian government and military infrastructure |
| Reported data theft | About 4.37GB of Chinese railway-related documents |
| Attribution | No firm public attribution |
Researchers say cPanel was only one part of the operation
The cPanel flaw appears to have served as an initial foothold in the campaign. After gaining access, the attacker reportedly used custom tooling to move deeper into compromised infrastructure.
Ctrl-Alt-Intel said it recovered evidence of a custom exploit chain against an Indonesian defense-sector training portal. The actor allegedly used already valid credentials and then abused weaknesses in the portal to reach deeper system access.
The researchers also found signs of database-layer abuse, command execution, and file-based exfiltration techniques. These details suggest a more deliberate intelligence-gathering operation, rather than a simple mass-scanning campaign.
Persistence and pivoting tools were also recovered
The attacker reportedly used multiple tools to keep access and move through the environment. Researchers identified OpenVPN, Ligolo, an AdaptixC2 payload, and a PowerShell reverse shell connected to the same infrastructure.
One persistence mechanism was disguised as a systemd service named systemd-update.service. Another hidden Linux payload path appeared under a directory designed to look like a monitoring component.
This layered setup matters because it gives attackers backup access routes. Even if one connection gets blocked, another tunnel or service may still let the actor re-enter the environment.
The stolen files reportedly included sensitive personal data
Ctrl-Alt-Intel said the attacker exfiltrated 110 files totaling about 4.37GB. The files reportedly included PowerPoint, PDF, Word, and Excel documents dated between 2020 and 2024.
Some of the most sensitive materials were described as 2021 financial workbooks. According to the research, those files contained full names, PRC national ID numbers, bank account details, and phone numbers.
The combination of defense-sector access and Chinese transport-related data suggests an intelligence collection motive. However, researchers warned that language clues in recovered scripts are not enough to determine who was behind the operation.
Indicators reported by researchers
| Indicator | Type | Context |
|---|---|---|
| 95.111.250[.]175 | IP address | Reported VPS used for VPN, reverse shell, and pivot activity |
| delicate-dew.serveftp[.]com | Domain | Reported command-and-control domain |
| systemd-update.service | File or service name | Reported Linux persistence service name |
| /usr/local/bin/.netmon/ | File path | Reported hidden directory for a reverse-connect payload |
| init.ps1 | File name | Reported PowerShell reverse shell payload |
| exfil_docs_v2.sh | File name | Reported document exfiltration script |
Why cPanel servers remain attractive targets
cPanel and WHM are widely used by hosting providers, agencies, resellers, and website operators. A single WHM compromise can expose many websites hosted on the same server.
That creates a large blast radius. Attackers who gain control can access site files, databases, mail accounts, customer data, backups, and administrative functions.
Rapid7 warned that successful exploitation can give attackers control over the cPanel host system and the websites it manages. The company also noted that roughly 1.5 million internet-facing cPanel instances appeared in a broad exposure query.
Fixed versions administrators should install
| Product branch | Fixed version |
|---|---|
| cPanel and WHM 11.86 | 11.86.0.41 |
| cPanel and WHM 11.110 | 11.110.0.97 |
| cPanel and WHM 11.118 | 11.118.0.63 |
| cPanel and WHM 11.124 | 11.124.0.35 |
| cPanel and WHM 11.126 | 11.126.0.54 |
| cPanel and WHM 11.130 | 11.130.0.19 |
| cPanel and WHM 11.132 | 11.132.0.29 |
| cPanel and WHM 11.134 | 11.134.0.20 |
| cPanel and WHM 11.136 | 11.136.0.5 |
| WP Squared | 136.1.7 |
What administrators should do now
- Update all exposed cPanel and WHM instances to a fixed version immediately.
- Verify the running cPanel build after patching.
- Restart cPanel services after the update if required by vendor guidance.
- Review WHM and cPanel logs for unusual login, session, and administrative activity.
- Search for unknown services, hidden directories, VPN tools, and unexpected reverse-connect binaries.
- Audit PostgreSQL and database logs for suspicious command execution or unusual file-read activity.
- Rotate administrative credentials, API tokens, SSH keys, and database passwords if compromise is suspected.
- Import reported indicators into SIEM, EDR, and threat intelligence platforms.
Broader risk goes beyond one vulnerability
This campaign shows how attackers can turn a widely exposed server flaw into a larger intelligence operation. The cPanel bug may open the door, but the real damage comes from persistence, pivoting, and data theft after initial access.
Organizations in government, defense, transport, and critical infrastructure should treat this as more than a hosting control panel issue. Exposed management services can become a bridge into sensitive networks.
The safest response is to patch quickly, assume exposed systems may need forensic review, and look for post-exploitation activity rather than stopping at version checks.
FAQ
CVE-2026-41940 is a critical authentication bypass vulnerability affecting cPanel and WHM, DNSOnly, and WP Squared. It can allow unauthenticated remote attackers to gain unauthorized administrative access.
Yes. CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog, and multiple security reports say exploitation began before public disclosure.
Ctrl-Alt-Intel reported a campaign targeting Southeast Asian government and military infrastructure, custom exploit tooling, layered persistence, and the theft of about 4.37GB of Chinese railway-related documents.
No firm public attribution has been made. Researchers noted some language clues in recovered files, but they cautioned that these are not enough to identify the actor.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages