Critical cPanel Flaw CVE-2021-39401 Lets Attackers Breach Gov Servers
Key Takeaways A sophisticated cyber campaign targeted government and military entities in Southeast Asia. Attackers leveraged a critical authentication bypass in cPanel & WHM (CVE-2026-41940) to...
Key Takeaways
- A sophisticated cyber campaign targeted government and military entities in Southeast Asia.
- Attackers leveraged a critical authentication bypass in cPanel & WHM (CVE-2026-41940) to gain initial access.
- The operation escalated to a custom zero-day exploit chain against an Indonesian defense portal, leading to remote code execution.
- Over 4GB of sensitive Chinese railway documents, including personal financial data, were exfiltrated.
- A patch for the cPanel flaw was released on April 28, 2026, and immediate application is strongly recommended.
A recent, highly coordinated cyberattack has exposed significant vulnerabilities within government and military digital infrastructure across Southeast Asia. The campaign, which exploited a critical authentication bypass in cPanel and WHM, culminated in the exfiltration of sensitive documents from a Chinese railway entity via an Indonesian defense-sector portal.
Table Of Content
The attackers initiated their breach by exploiting CVE-2026-41940, a severe authentication bypass vulnerability in cPanel & WHM. This flaw, rated with a CVSS score of 9.8, affects all versions of the widely used hosting control panel released after v11.40.
The vulnerability stems from a CRLF injection flaw within the login and session-loading mechanisms. This allowed unauthorized attackers to manipulate the whostmgrsession cookie, thereby gaining full root-level administrative access without requiring valid login credentials.
Evidence suggests that this vulnerability was actively exploited in the wild even before cPanel issued a patch on April 28, 2026. The Cybersecurity and Infrastructure Security Agency (CISA) subsequently added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog. However, the cPanel exploit was just one facet of a much larger, more concerning operation uncovered through an exposed command-and-control (C2) server.
Advanced Exploitation Against Indonesian Defense Sector
Further investigation by security researchers at Ctrl-Alt-Intel revealed a custom exploit chain targeting an Indonesian defense-sector training portal. The threat actor, already possessing valid credentials, bypassed the portal’s CAPTCHA by directly reading the expected CAPTCHA value from the server-issued session cookie, rendering the security measure ineffective.
SQL Injection to Remote Code Execution
Once inside the portal, the attackers focused on a document-management function. They injected SQL commands into the document-name field via a vulnerable save endpoint. This SQL injection was then escalated to achieve full operating system access by exploiting PostgreSQL’s COPY ... TO PROGRAM feature, which permits the database server to execute arbitrary shell commands.
Command output was covertly captured to the /tmp directory, base64-encoded, and subsequently re-ingested into application records using pg_read_file(). This method established a stealthy, file-read-based exfiltration channel that operated entirely within the database layer.
The custom exploit script, identified as exploit_siak_bahasa.py (SHA-256: 974E272A...), contained comments written in Vietnamese. However, Ctrl-Alt-Intel explicitly cautioned against using this detail for definitive attribution, suggesting it could be a deliberate attempt at misdirection.
Command and Control and Persistence
For command and control, the threat actor deployed an AdaptixC2 payload, an ELF binary named 1, configured to beacon to delicate-dew.serveftp[.]com:4455. Server-side telemetry corroborated the C2 address as 95.111.250[.]175. A PowerShell reverse shell, init.ps1, was also recovered, designed to establish a TCP connection back to the same IP address on port 4444.
To ensure persistent access, the attackers established a layered pivot stack combining OpenVPN and Ligolo. An OpenVPN server was deployed on 95.111.250[.]175:1194/UDP as early as April 8, 2026, routing traffic through the 10.8.0.0/24 client subnet. The Ligolo proxy agent was installed in a hidden directory, /usr/local/bin/.netmon/, and disguised as a systemd service named systemd-update.service. This service was configured for automatic restarts, guaranteeing persistent re-entry even after system reboots.
Utilizing this pivot infrastructure, the actor accessed an internal host at 10.16.13.88 and deployed exfil_docs_v2.sh, a custom SFTP-based script designed for document exfiltration.
In total, 110 files, amounting to approximately 4.37GB, were stolen from the China Railway Society Electrification Committee. The stolen data, spanning .pptx, .pdf, .docx, and .xlsx formats, dated from 2020 to 2024. Among the most sensitive materials were 2021 financial workbooks containing full names, PRC national ID numbers, bank account details, and phone numbers.
While Ctrl-Alt-Intel refrained from making a firm attribution, the combination of Southeast Asian military and government targets with the theft of data from a Chinese state-adjacent transport sector organization suggests a deliberate regional intelligence collection effort.
The Shadowserver Foundation reported on April 30, 2026, that it observed 44,000 unique IP addresses scanning for victims, launching exploits, or conducting brute-force attacks against its honeypot sensors, indicating widespread exploitation attempts for this vulnerability.
Indicators of Compromise (IoCs)
| Indicator | Type | Context |
|---|---|---|
95.111.250[.]175 |
IP Address | Primary attacker VPS; OpenVPN, reverse shell, and pivot infrastructure |
delicate-dew.serveftp[.]com |
Domain | Domain associated with the same infrastructure; present in recovered certificate material |
systemd-update.service |
File Name | Masqueraded Linux persistence service |
/usr/local/bin/.netmon/systemd-helper |
File Path | Hidden Linux reverse-connect payload path |
init.ps1 |
File Name | PowerShell reverse shell payload |
64674342041873DBB18B1DD9BB1CA391AF85B5E755DEFFB4C1612EF668349325 |
SHA-256 | Hash of init.ps1 |
exploit_siak_bahasa.py |
File Name | Custom authenticated SQLi → PostgreSQL RCE exploit |
974E272AD1DC7D5AADC3C7A48EC00EB201D04BA59EC5B0B17C2F8E9CD2F9C9CD |
SHA-256 | Hash of exploit_siak_bahasa.py |
exfil_docs_v2.sh |
File Name | Custom SFTP / lftp document exfiltration script |
734F0D04DC2683E19E629B8EC7F55349B5BCFF4EB4F2F36F6ADBBDE1C023A24F |
SHA-256 | Hash of exfil_docs_v2.sh |
1 |
File Name | Linux ELF reverse-connect / pivot payload recovered alongside the custom exploit chain |
1CFEADF01D24182362887B7C5F683E8BDB0E84CDDCE03E3B7564B2D9AB5D15CF |
SHA-256 | Hash of ELF payload 1 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
What You Should Do
- Immediately patch all cPanel & WHM installations to the latest available version to remediate CVE-2026-41940.
- Conduct a thorough audit of server logs for any indicators of CRLF-based session manipulation or unauthorized access attempts.
- Review and harden authentication mechanisms, especially for critical portals and administrative interfaces.
- Implement robust intrusion detection and prevention systems to monitor for anomalous network activity and known IoCs.
- Regularly scan systems for the presence of the identified malicious files and network connections.
- Ensure database servers are configured with the principle of least privilege, restricting capabilities like
COPY ... TO PROGRAMwhere not strictly necessary.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.