A newly discovered threat actor is actively exploiting a recently disclosed cPanel vulnerability to target government and military networks in Southeast Asia, as well as managed service providers (MSPs) and hosting providers across multiple continents, according to cybersecurity firm Ctrl-Alt-Intel.
The attacks, first detected on May 2, 2026, represent a coordinated campaign that researchers say is likely state-sponsored or criminal in nature. The actor remains unidentified.
"We observed a pattern of exploitation that precisely matches the timeline of the cPanel vulnerability disclosure," said Dr. Elena Torres, lead threat analyst at Ctrl-Alt-Intel. "The speed and precision suggest this group had prior knowledge of the flaw or rapidly weaponized it within days."
Background
The vulnerability in cPanel, a widely used web hosting control panel, was publicly disclosed on April 28, 2026. Proof-of-concept code emerged shortly after, allowing attackers to remotely execute arbitrary commands on vulnerable servers.
Ctrl-Alt-Intel identified victims in the Philippines, Laos, Canada, South Africa, and the United States. The hardest-hit sectors include:
- Government and military entities in Southeast Asia
- Managed service providers (MSPs) in the Philippines
- Hosting providers in Canada, South Africa, and the U.S.
The attackers appear to prioritize data exfiltration and persistent access over immediate disruption, according to early forensic analysis.
What This Means
Organizations using cPanel versions prior to the latest security update are at immediate risk. The vulnerability allows an unauthenticated attacker to take full control of the server, potentially compromising thousands of hosted websites.
"This is not a theoretical risk. It's being actively exploited in the wild right now," warned Torres. "Any MSP or government agency still running unpatched cPanel should treat their systems as compromised until proven otherwise."
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive urging all federal agencies to apply the patch within 48 hours. Private sector firms are advised to follow suit or consider isolating cPanel servers until updates are complete.
For affected organizations, immediate steps include applying the latest cPanel update, rotating all admin credentials, and scanning for backdoors. Long-term, experts recommend migrating to alternative control panels with stronger security track records.
Ctrl-Alt-Intel continues to track the threat actor under the codename 'ShellPanel.' Researchers expect new variants of the exploit to emerge as more groups reverse-engineer the flaw.