Hackers Exploit cPanel Flaw to Breach Government Military

A sophisticated adversarial campaign has targeted government and military infrastructure across South-East Asia. Attackers rapidly exploited a critical cPanel authentication bypass, then deployed a custom zero-day exploit chain against an Indonesian defense-sector portal. The operation ultimately led to the exfiltration of over 4GB of sensitive Chinese railway documents.

The campaign’s initial access vector centered on CVE-2026-41940, a critical CVSS 9.8 authentication bypass in cPanel and WHM affecting all versions after v11.40.

The flaw exploits CRLF injection in the login and session-loading processes, allowing an unauthenticated attacker to manipulate the whostmgrsession cookie and gain full root-level administrative access without valid credentials.

Exploitation was confirmed in the wild before cPanel’s patch was released on April 28, 2026, and CISA subsequently added it to its Known Exploited Vulnerabilities catalog. In this campaign, cPanel exploitation represented only one component of a broader and more alarming operation uncovered from an exposed command-and-control (C2) server.

cPanel Vulnerability Exploited

More significantly, Ctrl-Alt-Intel recovered a custom exploit targeting an Indonesian Defence sector training portal.

The threat actor already possessed valid credentials and bypassed the portal’s CAPTCHA mechanism by reading the expected CAPTCHA value directly from the server-issued session cookie, rendering the challenge completely ineffective without solving it.

Once inside, the actor targeted a document-management function, injecting SQL into the document-name field via a vulnerable save endpoint.

The SQL injection was then escalated to full operating system access by abusing PostgreSQL’s COPY ... TO PROGRAM capability, which allows the database server to spawn arbitrary shell commands.

Command output was captured to /tmp, base64-encoded, and re-ingested into application records using pg_read_file() — a stealthy, file-read-based exfiltration channel entirely native to the database layer.

The exploit script, named exploit_siak_bahasa.py (SHA-256: 974E272A...), contained Vietnamese-language comments, though Ctrl-Alt-Intel explicitly cautions this is insufficient for attribution and may represent deliberate misdirection.

For command and control, the actor deployed an AdaptixC2 payload (ELF binary named 1) configured to beacon to delicate-dew.serveftp[.]com:4455, with server-side telemetry corroborating the C2 address at 95.111.250[.]175.

A PowerShell reverse shell (init.ps1) was also recovered, establishing a TCP connection back to the same IP on port 4444.

To ensure durable, persistent access, the actor combined OpenVPN and Ligolo into a layered pivot stack. An OpenVPN server was deployed on 95.111.250[.]175:1194/UDP as early as April 8, 2026, routing through the 10.8.0.0/24 client subnet.

The Ligolo proxy agent was installed under a hidden directory /usr/local/bin/.netmon/, masqueraded as a systemd service named systemd-update.service, and configured to restart automatically — providing persistent re-entry even after reboots.

Routing through this pivot infrastructure, the actor reached an internal host at 10.16.13.88 and deployed exfil_docs_v2.sh, a custom SFTP-based exfiltration script.

In total, 110 files (~4.37GB) were stolen from the China Railway Society Electrification Committee spanning .pptx, .pdf, .docx, and .xlsx formats dating from 2020 to 2024.

Among the most sensitive materials were 2021 financial workbooks containing full names, PRC national ID numbers, bank account details, and phone numbers.

Ctrl-Alt-Intel stops short of firm attribution, though the victimology South-East Asian military and government targets combined with theft of Chinese state-adjacent transport-sector data points to a deliberate regional intelligence collection effort.

The Shadowserver Foundation confirmed on April 30, 2026, that 44,000 unique IP addresses were observed scanning for victims, launching exploits, or conducting brute-force attacks against their honeypot sensors.

Organizations running cPanel/WHM are urged to patch to the latest version immediately and audit server logs for signs of CRLF-based session manipulation.

Indicators of Compromise (IoCs)

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.