"The activity, detected by Ctrl-Alt-Intel on May 2, 2026, involves the abuse of CVE-2026-41940, a critical vulnerability in cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control panel."
"The script uses hard-coded credentials and defeats the portal's CAPTCHA by reading the expected CAPTCHA value out of the server-issued session cookie rather than solving the challenge normally."
"Once authenticated and passing the CAPTCHA, the actor moves to a document-management function. The vulnerable parameter is the field used to save a document name, and the script injects SQL into that field when posting to the document-save endpoint."
A previously unknown threat actor has been identified targeting government and military entities in Southeast Asia, as well as managed service providers in various countries. The attacks exploit CVE-2026-41940, a critical vulnerability in cPanel, allowing remote attackers to gain elevated control. The threat actor has also used a custom exploit chain against an Indonesian defense sector training portal, employing SQL injection and remote code execution. The AdapdixC2 framework is utilized for command-and-control operations, alongside tools like OpenVPN and Ligolo for persistence.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]