Zero-Day cPanel Exploit Hits Southeast Asian Governments and MSPs Worldwide

A sophisticated cyberattack exploiting a critical zero-day vulnerability in cPanel software has been actively targeting government and military networks across Southeast Asia, with spillover effects on managed service providers (MSPs) and hosting firms in at least five countries, security researchers confirmed today.

The attack, first detected on May 2, 2026, by threat intelligence firm Ctrl-Alt-Intel, leverages a previously unknown flaw in cPanel’s authentication framework. The vulnerability allows remote code execution without authentication, enabling attackers to gain full control over affected servers.

“This is a high-impact, low-complexity exploit that appears to be specifically weaponized for espionage operations against sovereign state networks,” said Dr. Mei Lin, principal analyst at Ctrl-Alt-Intel. “The speed of deployment and the precision of targeting indicate a state-backed or highly resourced actor.”

Attack Scope and Targets

According to Ctrl-Alt-Intel’s preliminary report, the campaign has compromised systems at military command centers in the Philippines and Laos, as well as government email servers in Thailand and Vietnam. A smaller but notable cluster of attacks has hit MSPs and hosting providers in Canada, South Africa, and the United States.

The attackers appear to be using a web shell payload that persists across reboots and exfiltrates credential databases, SSH keys, and customer billing data. At least 40 organizations are believed to be affected, with the number expected to rise as forensic investigations continue.

“We are seeing a very deliberate pattern: initial compromise of hosting providers to pivot into downstream MSP clients, and from there into government contractors,” explained James Ochieng, director of incident response at Ctrl-Alt-Intel. “It’s a classic supply-chain attack executed with alarming efficiency.”

Background

cPanel is web hosting control panel software used by millions of servers worldwide. The vulnerability, designated CVE-2026-2837 (pending official CVSS score), was discovered by Ctrl-Alt-Intel researchers on April 28, 2026, during routine threat hunting. An update was released on May 1, but the exploit was already circulating in underground forums.

While cPanel patched the flaw within 72 hours, many organizations—particularly resource-constrained government IT departments and small MSPs—have not yet applied the update. The attack window remains open for unpatched systems.

“This is not the first time cPanel has been in the crosshairs, but the level of operational security here is unusual,” said Dr. Lin. “The threat actor took care to cover their tracks by deleting log entries and using encrypted command channels.”

What This Means

For government and military entities in Southeast Asia, this breach represents a significant intelligence loss—compromised email archives, classified communications, and personnel records may now be in adversary hands. For affected MSPs, the reputational and legal damage could be severe, especially if customer data is leaked.

Broader implications include a heightened risk of follow-on ransomware attacks, as attacker access could be sold to criminal groups. National cybersecurity agencies in the Philippines, Canada, and the U.S. have issued emergency alerts urging immediate patching.

“Every cPanel admin should treat this as a critical incident,” emphasized Ochieng. “Assume compromise, rotate all credentials, and audit outbound network connections for suspicious traffic.”

Ctrl-Alt-Intel is sharing indicators of compromise (IOCs) with partner agencies and has published a free scanning tool (see IOCs section). The identity of the threat actor remains unknown, but the operational tempo suggests a group with significant resources.

Immediate Recommended Actions

• Apply cPanel patch 2026-05-01 immediately – do not wait for a maintenance window.
• Scan for web shells in common directories (/tmp, /var/tmp, /home/*/.cpanel).
• Rotate all database passwords and API keys that may have been exposed.
• Enable multi-factor authentication on all cPanel user accounts.

As of May 4, 2026, the attack is ongoing. Security teams should monitor for unusual outbound connections on ports 443 and 8080.

Indicators of Compromise

Detailed IOCs—including command-and-control IP addresses, file hashes, and YARA rules—are available on Ctrl-Alt-Intel’s blog. Organizations should treat any matching signals as critical.

This is a developing story. Check back for updates.