More than 40,000 servers have been compromised as attackers exploit CVE-2026-41940, a critical authentication-bypass vulnerability in cPanel & WebHost Manager (WHM) that provides unauthenticated administrative access to web hosting platforms. According to The Shadowserver Foundation, the ongoing campaign has escalated dramatically since the vulnerability’s public disclosure on April 28.
The security flaw allows attackers to inject administrative credentials through special characters in authorization headers, effectively bypassing authentication to gain full control over hosting systems. Rapid7 warned that approximately 1.5 million cPanel instances remain accessible from the internet, creating a massive attack surface for threat actors.
Iranian APT Masquerades as Ransomware Operation
In a separate incident, the Iran-linked APT group MuddyWater executed a sophisticated intrusion campaign disguised as a Chaos ransomware attack in early 2026. Rapid7 reported that the state-sponsored actors used social engineering through Microsoft Teams to establish screen-sharing sessions with victims, stealing credentials and manipulating multi-factor authentication protections.
The attackers deployed remote access tools including AnyDesk and DWAgent to maintain persistent access, then conducted reconnaissance and data exfiltration typical of espionage operations. Despite threatening victims with data leaks and directing them to the Chaos ransomware leak site, the group never deployed file-encrypting malware, suggesting the ransomware artifacts were planted as false flags to conceal state-sponsored activity.
“While connected, the TA executed basic discovery commands, accessed files related to the victim’s VPN configuration, and instructed users to enter their credentials into locally created text files,” Rapid7 researchers noted.
Karakurt Member Sentenced to 8.5 Years
Deniss Zolotarjovs, a 35-year-old Latvian member of the Karakurt ransomware gang, received an 8.5-year prison sentence in the US for his role in extorting victims. Court documents show Zolotarjovs operated as a negotiator and data analyst for the group between June 2021 and March 2023, during which Karakurt targeted at least 53 entities and caused $56 million in losses.
The Karakurt group, also known as TommyLeaks and associated with the notorious Conti ransomware operation, specialized in stealing personally identifiable information including names, addresses, Social Security numbers, and healthcare data. Zolotarjovs received 10% of negotiated ransom payments in cryptocurrency, which he converted to Russian rubles through multiple wallet transfers.
In one documented case, when a pediatric healthcare company delayed payment, Zolotarjovs recommended publishing patient data online to escalate pressure on the victim organization.
RansomHouse Claims Trellix Cybersecurity Breach
The RansomHouse ransomware group has claimed responsibility for breaching cybersecurity firm Trellix’s source code repository. Trellix confirmed the incident on its website, stating that “part of its source code repository had been breached” but found “no evidence that our source code release or distribution process was affected.”
RansomHouse published screenshots on their leak site showing apparent access to internal services and management dashboards, though they have not specified the volume or type of data stolen. The timing suggests a potential connection to recent supply chain attacks by TeamPCP and Lapsus$ groups that have targeted multiple cybersecurity firms including Checkmarx, Aqua Security, and Bitwarden.
RansomHouse operates as a ransomware-as-a-service provider that emerged in 2022, with their Tor-based leak website currently listing more than 170 victims across various industries.
Canvas Platform Breach Disrupts Thousands of Schools
Education technology giant Instructure suffered a data breach affecting its Canvas learning platform, causing widespread disruption at over 8,800 schools according to claims by the ShinyHunters hacking group. Wired reported that the platform was placed in “maintenance mode” on Thursday, creating chaos at universities including Harvard, Columbia, Rutgers, and Georgetown during finals and end-of-year assignments.
Steve Proud, Instructure’s chief information security officer, confirmed in incident updates that compromised data included names, email addresses, student ID numbers, and platform messages for users at affected institutions. The breach was first advertised by ShinyHunters on May 1, though the full scale remains unclear as the company continues its investigation.
School districts across at least a dozen states reported Canvas-related disruptions, highlighting the vulnerability of centralized educational technology platforms to cyberattacks.
https://x.com/Shadowserver/status/2050208472386396568
Global Impact and Geographic Distribution
The cPanel exploitation campaign shows a concentrated geographic pattern, with most compromised systems located in the United States, followed by France and the Netherlands. The Shadowserver Foundation’s data indicates that the “44K unique IP number is based on cPanel spike of devices seen scanning/running exploits/brute force attacks against our honeypot sensors.”
CVE-2026-41940 affects all cPanel versions after 11.40, with patches available in versions 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, and 11.130.0.19. Security researchers believe the vulnerability was exploited as a zero-day since late February, with activity spiking after WatchTowr published technical exploitation details.
The education sector’s Canvas breach demonstrates how attacks on widely-used platforms can create cascading disruptions across thousands of organizations simultaneously, representing a new model of ransomware impact beyond traditional single-target operations.
What This Means
These incidents reveal three critical trends in the current threat landscape. First, the cPanel mass exploitation demonstrates how a single vulnerability in widely-deployed software can create unprecedented scale attacks affecting tens of thousands of systems simultaneously. Second, state-sponsored groups like MuddyWater are increasingly using ransomware false flags to disguise espionage operations, complicating attribution and response efforts.
Third, the Canvas breach represents a new model of ransomware disruption where attacking centralized platforms can paralyze thousands of dependent organizations, potentially offering higher leverage than traditional targeted attacks. Organizations using shared platforms face amplified risk from supply chain compromises that can affect entire sectors simultaneously.
FAQ
How can organizations protect against cPanel exploitation?
Update immediately to patched cPanel versions (11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, or 11.130.0.19) and follow cPanel’s compromise identification procedures. Monitor for unauthorized administrative access and unusual session activity.
What makes the MuddyWater false flag operation significant?
This represents a sophisticated evolution where state-sponsored groups use ransomware artifacts to disguise espionage activities, making attribution more difficult and potentially allowing them to operate longer without detection while collecting intelligence.
How widespread was the Canvas platform breach impact?
ShinyHunters claim over 8,800 schools were affected, including major universities and school districts across at least 12 states. The breach exposed names, email addresses, student IDs, and platform messages, with disruptions occurring during critical academic periods including finals.
Sources
- Iranian APT Intrusion Masquerades as Chaos Ransomware Attack – SecurityWeek
- Karakurt Ransomware Negotiator Sentenced to Prison – SecurityWeek
- Ransomware Group Takes Credit for Trellix Hack – SecurityWeek
- Over 40,000 Servers Compromised in Ongoing cPanel Exploitation – SecurityWeek
- The Canvas Hack Is a New Kind of Ransomware Debacle – Wired
