A previously unknown threat actor exploited a critical cPanel and WebHost Manager authentication-bypass flaw to breach government and military entities in Southeast Asia and managed service providers across the Philippines, Laos, Canada, South Africa, and the United States, per reporting by The Hacker News on May 4, 2026. The bug, tracked as CVE-2026-41940, was weaponized by multiple operators inside 24 hours of public disclosure — a now-routine timeline that compresses the federal-style “patch in two weeks” assumption down to next-business-day.
What the bug does and how it was used
CVE-2026-41940 is an authentication bypass in cPanel and WHM that hands a remote attacker elevated control of the hosting control panel. Once on the panel, the operator owns the underlying tenant: every site, mailbox, FTP user, and database that panel administers. The first observed campaign, surfaced by research outfit Ctrl-Alt-Intel on May 2, 2026, originated from 95.111.250[.]175 and combined the public proof-of-concept with custom tooling, including a CAPTCHA bypass and a SQL-injection chain against an Indonesian defense training portal that used hard-coded credentials, per Ctrl-Alt-Intel’s account in The Hacker News reporting.
Post-exploitation activity is notable for its breadth rather than its sophistication. The first cluster of operators dropped AdaptixC2 — a still-young command-and-control framework — and tunnelled persistence over OpenVPN and Ligolo. Other operators piled on within hours, deploying Mirai botnet variants and Sorry ransomware against panels they had already broken. This is the now-familiar pattern of a single critical bug becoming shared infrastructure for half a dozen unrelated crews.
The scanner numbers tell the story
Shadowserver Foundation telemetry, cited in the same reporting, gives the cleanest picture of how widely the bug got picked up. As of April 30, roughly 44,000 IP addresses showed scanning or brute-force activity consistent with CVE-2026-41940 exploitation. Three days later, on May 3, the figure had dropped to 3,540 — which is exactly what you would expect once the easy panels were cleaned out and operators moved to second-stage activity on the boxes they had already taken.
Censys, also cited by The Hacker News, observed multiple unrelated third parties weaponizing the vulnerability inside that 24-hour window. The lesson for defenders watching exposure-management dashboards is that “first scan seen” and “first exploitation seen” are now the same number for any cPanel-class flaw.
What this means
For the wider hosting and MSP universe, the CVE-2026-41940 timeline closes off any patch cadence that assumes a multi-day window between disclosure and live attack. Two practical moves: pull cPanel and WHM into the same critical-asset inventory bucket as edge VPN and email gateways, and treat AdaptixC2, OpenVPN, and Ligolo IOCs as standing detections on hosting platforms rather than incident-specific hunts. For government tenants in Asia-Pacific, the pivot is sharper — defenders should assume any unpatched panel between April 30 and May 3 is already compromised and triage from there rather than from clean-state.
