Critical cPanel Vulnerability Weaponized to Target Government and MSP Networks

A previously unknown threat actor actively exploits a critical cPanel vulnerability to breach government, military, and MSP networks across multiple continents. Ctrl-Alt-Intel detected the campaign on May 2, 2026, targeting government and defense agencies in Southeast Asia alongside hosting providers and managed service providers in the Philippines, Laos, Canada, South Africa, and the United States.

The attacks leverage a recently disclosed cPanel flaw, though the specific CVE designation remains undisclosed in available reporting. cPanel powers website administration and hosting control panels for millions of websites globally, making it a high-value target. Government and military networks represent particularly sensitive objectives, while MSPs and hosting providers serve as critical infrastructure nodes managing thousands of downstream customer systems.

The threat actor's targeting pattern suggests deliberate selection of high-impact victims rather than opportunistic scanning. The geographic spread across Southeast Asia, North America, and Africa indicates either a well-resourced group with international operational capacity or multiple coordinated teams sharing exploit code.

Organizations running cPanel infrastructure face immediate risk. Successful exploitation typically grants attackers administrative access to hosting environments, enabling credential theft, malware distribution, customer data exfiltration, and lateral movement into connected networks. MSPs and hosting providers serve as attack multipliers, where a single compromise cascades to affect hundreds or thousands of downstream clients.

Affected organizations should immediately patch cPanel to the latest patched version and conduct forensic analysis of access logs for indicators of compromise. Network defenders should prioritize monitoring for unusual administrative logins, file modifications in cPanel directories, and outbound connections from affected systems.

The attack underscores why hosting infrastructure requires equal security rigor as corporate networks. Organizations relying on third-party hosting should verify their providers have applied patches and conducted incident response investigations.

WHY IT MATTERS: Exploitation of cPanel affects thousands of organizations simultaneously through hosting providers and MSPs, ampl