A new cyber threat has emerged, targeting government and military organizations in Southeast Asia, as well as managed service and hosting providers in several countries including the Philippines, Laos, Canada, South Africa, and the United States. The attack leverages a critical vulnerability in cPanel and WebHost Manager, identified as CVE-2026-41940, which allows remote attackers to bypass authentication and gain control over the control panel. This activity was first detected by Ctrl-Alt-Intel on May 2, 2026.

The attacks have been traced back to the IP address 95.111.250.175, focusing on domains linked to the Philippines and Laos. The attackers have utilized publicly available proof-of-concept codes to breach these networks. In a related incident, the same threat actor is reported to have used a custom exploit chain against a defense training portal in Indonesia, employing techniques such as authenticated SQL injection and remote code execution.

The attackers have implemented the AdaptixC2 command-and-control framework to manage the compromised systems. Additionally, tools like OpenVPN and Ligolo have been used to maintain persistent access and extract sensitive documents related to the Chinese railway sector. While the identity of the attackers remains unknown, Censys has reported that the cPanel vulnerability was weaponized by multiple parties within a day of its disclosure, with some deploying Mirai botnet variants and a ransomware strain named Sorry.

Data from the Shadowserver Foundation indicates that as many as 44,000 IP addresses were compromised, participating in scanning and brute-force attacks just days prior to the detection. This number has since decreased to 3,540 as of May 3, 2026. In response, cPanel has released an updated detection script to address false positives and urges users to apply the necessary patches promptly to secure their systems and clean up any indicators of compromise.