The CVE-2026-41940 CVSS 9.8 cPanel zero-day exploited since February 2026 was used on Southeast Asian government and military servers and took over an Indonesian defense portal via SQL injection and stole 4.37GB of sensitive documents from the China Railway Society. This was not just a hosting vulnerability it was a nation-state-level espionage operation.
When a web hosting control panel vulnerability spreads to government and military servers its not just a technical flaw it becomes a geopolitical incident. A sophisticated adversarial campaign targeted South-East Asian government and military infrastructure.
The rapid exploitation of CVE-2026-41940 a custom zero-day exploit chain on an Indonesian defense-sector portal and ultimately the exfiltration of over 4GB of sensitive Chinese railway documents were all part of the entire operation.
It was this campaign that confirmed that cPanel the software people thought was just a tool to manage websites had now become a gateway to nation state espionage. Exploitation of CVE-2026-41940 was observed approximately since February 23, 2026 meaning it was being exploited as a true zero-day roughly two months before the official patch of April 28 and 650,000 WHM instances out of 1.5 million internet exposed cPanel instances are still exposed.
cPanel holds a 94% control panel market share which meaning that when a CVSS 9.8 vulnerability like CVE-2026-41940 occurs and its attack surface is practically unlimited. The Shadowserver Foundation confirmed that 44,000 unique IPs engaged in scanning, exploitation and brute force attacks on their honeypot sensors.

The first step of this campaign was the same as what researchers had previously documented CRLF injection manipulated the whosmgrsession cookie the cpsrvd dae wrote to the session file without encryption checks and a fully authenticated root session was promoted by injecting user=root hasroot=1 tfa_verified=1 without any valid credentials and without any password just a crafted HTTP request. sirf ek crafted HTTP request se. Read the full technical breakdown of this vulnerability and the exploit chain here CVE-2026-41940 Complete Analysis .But this was only the first step in this campaign the real operation was much deeper and more alarming.
Indonesian Defense Portal Breach SQL Injection Exposes Railway Data
Ctrl-Alt-Intel researchers recovered the entire blueprint of this campaign from an exposed command-and-control server. The threat actor already possessed valid credentials for the Indonesian defense sector training portal and bypassed the CAPTCHA mechanism by simply reading the expected CAPTCHA value directly from a server-issued session cookie rendering the challenge completely ineffective without solving it.

Once inside the actor targeted the document management function and injected SQL into the document-name field via the vulnerable save endpoint then abused PostgreSQL COPY … TO PROGRAM capability to spawn arbitrary shell commands from the database server, captured the command output to /tmp base64-encoded it and quietly exfiltrated it.
For persistence an OpenVPN server was deployed at 95.111.250[.]175:1194/UDP on April 8, 2026 three weeks before the patch release. The Ligolo proxy agent was installed in the hidden directory /usr/local/bin/.netmon/ and a fake systemd service named systemd update.service was created that automatically restarted so that persistent re-entry was possible even after reboots.
Through this pivot infrastructure the actor accessed the internal host 10.16.13.88 and deployed a custom SFTP-based exfiltration script named exfil_docs_v2.sh. This is all evidence of planning and patience. The attacker had set up the infrastructure months ago and remained silent until the target was found.

In total110 files roughly 4.37GB in .pptx, .pdf, .docx, and .xlsx formats spanning dates from 2020 to 2024 were stolen from the China Railway Society Electrification Committee. Among the most sensitive materials were 2021 financial workbooks containing full names PRC national ID numbers, bank account details and phone numbers. This was not just corporate data it was the complete financial and personal identity records of a state-linked organization.
This type of data is equally valuable for intelligence operations, blackmail, and targeted surveillance. The immediate action list for Defenders is: audit /var/cpanel/sessions/raw/ for session files containing embedded \r or \n bytes after pass= check for unexpected user accounts, SSH keys, or cron jobs in WHM, verify unauthorized modifications to /etc/, /usr/local/cpanel/ and root ~/.bashrc and restrict cPanel/WHM ports 2082, 2083, 2086, 2087, 2095, 2096 to known administrative IP ranges.
This campaign is a chilling reminder that any internet-facing misconfiguration even a hosting control panel can become a valid entry point for nation-state actors. A two-month zero-day window a government military target and 4GB of stolen data all confirm that patch management is still the most underrated cybersecurity control.
This campaign is a chilling reminder that any internet-facing misconfigurationn even a hosting control panel can become a valid entry point for nation-state actors. Be sure to check out this for emergency patches and immediate precautionary measures cPanel WHM Auth Flaw Emergency Patch Guide.