A critical vulnerability detected last week in the widely used
cPanel and WebHost Manager (WHM) server management software is being broadly exploited by bad actors trying to abuse the software despite patches being released soon after the zero-day was exposed.
In some of these attacks, Hackers are targeting not only enterprises and other organizations but also MSPs and hosting providers, according to a report by security firm
Ctrl-Alt-Intel.
The potential for damage is widespread, given that more than 70 million domains use cPanel and WHM as their web hosting control panel, according to cybersecurity firm
watchTowr, which
analyzed the vulnerability and released a proof-of-concept (POC) for the vulnerability.
cPanel said users should immediately
patch the vulnerability – tracked as
CVE-2026-41940 – noting that it affects all versions of the software after 11.40. The flaw is a bypass authentication vulnerability that, if exploited, could allow an attacker to gain access to the software’s control panel and take over the system, compromising configurations, databases, and websites controlled by the platform.
MSPs and Hosting Providers at Risk
In a
report, researchers with Ctrl-Alt-Intel, which analyzes and tracks cyberthreats, said an unknown bad actor is exploiting the vulnerability to target government and military entities in Southeast Asia, as well as a set of MSPs and hosting providers not only in the Philippines and Laos but also in the United States, Canada, and South Africa.
The researchers wrote that the attack relied heavily on open source POC code for CVE-2026-41940. The threat actor used the IP address 95.111.250[.]175.
According to Ctrl-Alt-Intel, WHM will create a temporary session even when the login fails, and an attacker can interfere with how parts of the sessions are saved by injecting fake session values.
“WHM later reloads that session and treats it as if root has already authenticated,” the researchers wrote. “So the attacker is not ‘logging in normally’. They are forging the session state that WHM uses to decide whether someone is logged in.”
'Cold, Hard Math'
While the various Southeast Asian military and government entities get the most attention in the report, it isn’t surprising that MSPs and hosting providers are also targeted. MSPs, MSSPs, and other service providers have access to myriad customers and use remote monitoring and management (RMM) software and similar tools that reach into their clients’ IT environments.
“It is just cold, hard math,”
Anurag Angrawal, founder and chief global analyst for
Techaisle, told MSSP Alert. “In a standard attack, the hacker's ROI is 1:1. You break into a company, you get that company. But when you hit a management tool like cPanel or an MSP’s RMM, that ratio jumps to 1:1,000 or more. For a state actor or a ransomware syndicate, an MSP is the ultimate force multiplier.”
Gene Moody, field CTO of
Action1, which offers an automated endpoint and patch management platform, told MSSP Alert that the attraction to threat actors to MSPs and MSSPs is “inescapable.”
“A compromise of their systems means potentially further, or even potentially absolute, compromise of their customer base,” Moody said. “MSPs already have management control of almost the complete infrastructure of their average client. Once compromised, there technically is only further compromise in the form of lack of authorization to use the resources they steal.”
'The Fuse was Lit'
The high-profile supply chain attack on SolarWinds broadly illustrated for the industry how the compromise of a single company can have significant downstream consequences. However, Agrawal said that while “SolarWinds was the explosion everyone heard... the fuse was lit much earlier.”
He called Operation Cloud Hopper, which occurred about a decade ago, the real watershed.
“That is when threat actors realized they did not need to knock on 1,000 doors,” the analyst said. “They just needed to swipe the keys from the one guy who holds all of them, the MSP.”
Action1’s Moody added that as the threat level against them rises, many organizations are offloading their security functions to MSPs and MSSPs, which is leading to a shift toward pooling resources behind massive distributed security teams.
“Now the providers themselves become more lucrative targets by representing a single point of failure and a significant reward on successful compromise,” he said. “This is like rob a store vs. rob a bank-style pooling. The store may be easier, but the bank is more profitable.”
Security Needs to Adapt
The cPanel vulnerability and compromise is the latest example of why cybersecurity needs to change if organizations are to protect themselves in this era of AI-driven attacks, Agrawal said.
“Going forward, MSPs have to stop thinking of themselves as support and start acting as what I call ‘trust guardians,’” he said. “The era of security by obscurity or relying on a dashboard's default settings is over. We need accountable intelligence, where every tool in the stack is audited for its autonomous risk.”
This means a shift to zero trust for both internal tools and client environments.
“If a single control panel can still serve as the master key for your entire client base, your architecture is already obsolete,” the analyst said.
