Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Ghostcommit Attack Hides Malicious Prompts in Images to Exploit AI Agents
July 11, 2026
AI-powered Forg365 Phishing Platform Targets Microsoft 365 Accounts
July 11, 2026
Dell BIOS Critical Flaw Exposes Admin Passwords From SPI Flash
July 11, 2026
Home/CyberSecurity News/Critical cPanel Flaw CVE-2021-39401 Lets Attackers Breach Gov Servers
CyberSecurity News

Critical cPanel Flaw CVE-2021-39401 Lets Attackers Breach Gov Servers

Key Takeaways A sophisticated cyber campaign targeted government and military entities in Southeast Asia. Attackers leveraged a critical authentication bypass in cPanel & WHM (CVE-2026-41940) to...

Sarah simpson
Sarah simpson
May 2, 2026 4 Min Read
51 0

Key Takeaways

  • A sophisticated cyber campaign targeted government and military entities in Southeast Asia.
  • Attackers leveraged a critical authentication bypass in cPanel & WHM (CVE-2026-41940) to gain initial access.
  • The operation escalated to a custom zero-day exploit chain against an Indonesian defense portal, leading to remote code execution.
  • Over 4GB of sensitive Chinese railway documents, including personal financial data, were exfiltrated.
  • A patch for the cPanel flaw was released on April 28, 2026, and immediate application is strongly recommended.

A recent, highly coordinated cyberattack has exposed significant vulnerabilities within government and military digital infrastructure across Southeast Asia. The campaign, which exploited a critical authentication bypass in cPanel and WHM, culminated in the exfiltration of sensitive documents from a Chinese railway entity via an Indonesian defense-sector portal.

Table Of Content

  • Key Takeaways
  • Advanced Exploitation Against Indonesian Defense Sector
  • SQL Injection to Remote Code Execution
  • Command and Control and Persistence
  • Indicators of Compromise (IoCs)
  • What You Should Do

The attackers initiated their breach by exploiting CVE-2026-41940, a severe authentication bypass vulnerability in cPanel & WHM. This flaw, rated with a CVSS score of 9.8, affects all versions of the widely used hosting control panel released after v11.40.

The vulnerability stems from a CRLF injection flaw within the login and session-loading mechanisms. This allowed unauthorized attackers to manipulate the whostmgrsession cookie, thereby gaining full root-level administrative access without requiring valid login credentials.

Evidence suggests that this vulnerability was actively exploited in the wild even before cPanel issued a patch on April 28, 2026. The Cybersecurity and Infrastructure Security Agency (CISA) subsequently added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog. However, the cPanel exploit was just one facet of a much larger, more concerning operation uncovered through an exposed command-and-control (C2) server.

Advanced Exploitation Against Indonesian Defense Sector

Further investigation by security researchers at Ctrl-Alt-Intel revealed a custom exploit chain targeting an Indonesian defense-sector training portal. The threat actor, already possessing valid credentials, bypassed the portal’s CAPTCHA by directly reading the expected CAPTCHA value from the server-issued session cookie, rendering the security measure ineffective.

SQL Injection to Remote Code Execution

Once inside the portal, the attackers focused on a document-management function. They injected SQL commands into the document-name field via a vulnerable save endpoint. This SQL injection was then escalated to achieve full operating system access by exploiting PostgreSQL’s COPY ... TO PROGRAM feature, which permits the database server to execute arbitrary shell commands.

Command output was covertly captured to the /tmp directory, base64-encoded, and subsequently re-ingested into application records using pg_read_file(). This method established a stealthy, file-read-based exfiltration channel that operated entirely within the database layer.

The custom exploit script, identified as exploit_siak_bahasa.py (SHA-256: 974E272A...), contained comments written in Vietnamese. However, Ctrl-Alt-Intel explicitly cautioned against using this detail for definitive attribution, suggesting it could be a deliberate attempt at misdirection.

Command and Control and Persistence

For command and control, the threat actor deployed an AdaptixC2 payload, an ELF binary named 1, configured to beacon to delicate-dew.serveftp[.]com:4455. Server-side telemetry corroborated the C2 address as 95.111.250[.]175. A PowerShell reverse shell, init.ps1, was also recovered, designed to establish a TCP connection back to the same IP address on port 4444.

To ensure persistent access, the attackers established a layered pivot stack combining OpenVPN and Ligolo. An OpenVPN server was deployed on 95.111.250[.]175:1194/UDP as early as April 8, 2026, routing traffic through the 10.8.0.0/24 client subnet. The Ligolo proxy agent was installed in a hidden directory, /usr/local/bin/.netmon/, and disguised as a systemd service named systemd-update.service. This service was configured for automatic restarts, guaranteeing persistent re-entry even after system reboots.

Utilizing this pivot infrastructure, the actor accessed an internal host at 10.16.13.88 and deployed exfil_docs_v2.sh, a custom SFTP-based script designed for document exfiltration.

In total, 110 files, amounting to approximately 4.37GB, were stolen from the China Railway Society Electrification Committee. The stolen data, spanning .pptx, .pdf, .docx, and .xlsx formats, dated from 2020 to 2024. Among the most sensitive materials were 2021 financial workbooks containing full names, PRC national ID numbers, bank account details, and phone numbers.

While Ctrl-Alt-Intel refrained from making a firm attribution, the combination of Southeast Asian military and government targets with the theft of data from a Chinese state-adjacent transport sector organization suggests a deliberate regional intelligence collection effort.

The Shadowserver Foundation reported on April 30, 2026, that it observed 44,000 unique IP addresses scanning for victims, launching exploits, or conducting brute-force attacks against its honeypot sensors, indicating widespread exploitation attempts for this vulnerability.

Indicators of Compromise (IoCs)

Indicator Type Context
95.111.250[.]175 IP Address Primary attacker VPS; OpenVPN, reverse shell, and pivot infrastructure
delicate-dew.serveftp[.]com Domain Domain associated with the same infrastructure; present in recovered certificate material
systemd-update.service File Name Masqueraded Linux persistence service
/usr/local/bin/.netmon/systemd-helper File Path Hidden Linux reverse-connect payload path
init.ps1 File Name PowerShell reverse shell payload
64674342041873DBB18B1DD9BB1CA391AF85B5E755DEFFB4C1612EF668349325 SHA-256 Hash of init.ps1
exploit_siak_bahasa.py File Name Custom authenticated SQLi → PostgreSQL RCE exploit
974E272AD1DC7D5AADC3C7A48EC00EB201D04BA59EC5B0B17C2F8E9CD2F9C9CD SHA-256 Hash of exploit_siak_bahasa.py
exfil_docs_v2.sh File Name Custom SFTP / lftp document exfiltration script
734F0D04DC2683E19E629B8EC7F55349B5BCFF4EB4F2F36F6ADBBDE1C023A24F SHA-256 Hash of exfil_docs_v2.sh
1 File Name Linux ELF reverse-connect / pivot payload recovered alongside the custom exploit chain
1CFEADF01D24182362887B7C5F683E8BDB0E84CDDCE03E3B7564B2D9AB5D15CF SHA-256 Hash of ELF payload 1

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

What You Should Do

  • Immediately patch all cPanel & WHM installations to the latest available version to remediate CVE-2026-41940.
  • Conduct a thorough audit of server logs for any indicators of CRLF-based session manipulation or unauthorized access attempts.
  • Review and harden authentication mechanisms, especially for critical portals and administrative interfaces.
  • Implement robust intrusion detection and prevention systems to monitor for anomalous network activity and known IoCs.
  • Regularly scan systems for the presence of the identified malicious files and network connections.
  • Ensure database servers are configured with the principle of least privilege, restricting capabilities like COPY ... TO PROGRAM where not strictly necessary.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachCVEExploitHackerPatchThreatVulnerabilityzero-day

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Critical Exim Mail Server Vulnerabilities Let Attackers Crash Systems

Next Post

Trellix Source Code Stolen in Breach, Exposing Proprietary Data

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Top 10 Unified Threat Management Solutions for 2026
July 11, 2026
Critical OpenClaw Vulnerability Lets Attackers Hijack WhatsApp Via One Message
July 11, 2026
Progress Urges ShareFile Server Shutdown Over Critical Vulnerability
July 11, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us