cPanel Zero-Day Exploits Hit 40,000+ Servers

More than 40,000 servers have been compromised through exploitation of a critical cPanel zero-day vulnerability, while internal conflicts between ransomware groups have exposed rare operational details about cybercriminal infrastructure. The cPanel attacks target CVE-2026-41940, a critical authentication-bypass flaw that grants administrative access to affected systems.

Massive cPanel Exploitation Campaign Targets 1.5 Million Instances

According to The Shadowserver Foundation, threat actors are actively exploiting CVE-2026-41940, a critical vulnerability in cPanel & WebHost Manager (WHM) that allows unauthenticated attackers to gain administrative access to server management platforms. The vulnerability was disclosed on April 28, 2026, but exploitation likely began in late February as a zero-day attack.

The security flaw enables attackers to inject special characters in authorization headers, writing parameters to session files and triggering authentication with administrative credentials. This grants complete control over host systems, including all configurations, databases, and websites managed by the platform.

Rapid7 warned that approximately 1.5 million cPanel instances remain accessible from the internet, creating a massive attack surface. The Shadowserver Foundation reported that “44K unique IP number is based on cPanel spike of devices seen scanning/running exploits/brute force attacks against our honeypot sensors.” Most affected systems are located in the United States, followed by France and the Netherlands.

https://x.com/Shadowserver/status/2050208472386396568

All cPanel versions after 11.40 are vulnerable, with patches available in versions 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, and 11.130.0.19.

Iranian APT Masquerades as Chaos Ransomware in Espionage Campaign

The Iran-linked APT group MuddyWater conducted a sophisticated intrusion campaign that masqueraded as a ransomware attack while pursuing traditional espionage objectives. Rapid7 reported that the operation, observed in early 2026, used social engineering through Microsoft Teams to establish initial access.

The attackers engaged victim organization employees via screen-sharing sessions, allowing them to steal credentials and manipulate multi-factor authentication protections. “While connected, the TA executed basic discovery commands, accessed files related to the victim’s VPN configuration, and instructed users to enter their credentials into locally created text files,” according to Rapid7’s analysis.

The threat actors deployed AnyDesk remote management tools and established persistent access through RDP sessions and DWAgent. They then moved laterally through the environment, harvesting and exfiltrating information before sending extortion emails claiming to have stolen data.

The attackers directed victims to the Chaos ransomware leak site, which listed the targeted organization as a victim. However, no file-encrypting ransomware was ever deployed, suggesting the Chaos artifacts were planted as false flags to conceal state-sponsored espionage activities.

Healthcare Ransomware Attack Affects 170,000 Patients

South Carolina-based Sandhills Medical Foundation disclosed a ransomware attack that compromised personal information of nearly 170,000 individuals. The healthcare provider discovered the attack on May 8, 2025, but only publicly disclosed the incident nearly one year later after completing forensic investigations.

Compromised data includes names, dates of birth, Social Security numbers, Taxpayer Identification Numbers, driver’s licenses, government-issued identification, passports, financial information, and personal health information. The Inc Ransom ransomware group listed Sandhills Medical on its leak website in early June 2025 and has since made allegedly stolen files available for download.

The delayed disclosure timeline highlights ongoing challenges in healthcare cybersecurity incident response, where organizations often require extensive forensic analysis before determining the full scope of compromised data.

Ransomware Groups Turn on Each Other, Exposing Operations

Infighting between ransomware groups 0APT and KryBit has provided rare insight into cybercriminal operations after the groups attacked each other’s infrastructure. The Halcyon Ransomware Research Center reported that both relatively new ransomware-as-a-service operations appear to have been left in shambles following their feud.

0APT emerged in late January 2026 with a fabricated list of nearly 200 victims but failed to gain traction or affiliates. The group reemerged in mid-April, claiming attacks against established ransomware operators including KryBit, Everest, and RansomHouse. KryBit, which launched in late March offering Windows, Linux, ESXi, and NAS-targeting ransomware kits with an 80/20 affiliate model, had published 10 legitimate victims in its first two weeks.

The conflict exposed infrastructure details and operational data typically hidden from security researchers, providing defenders with valuable intelligence about ransomware group operations and internal dynamics.

Karakurt Negotiator Receives 8.5-Year Prison Sentence

Deniss Zolotarjovs, a 35-year-old Latvian member of the Karakurt ransomware gang, was sentenced to 8.5 years in federal prison for his role in extorting victims. Zolotarjovs, who operated between June 2021 and March 2023, was responsible for analyzing stolen data and conducting ransom negotiations.

During his tenure with Karakurt, the group targeted at least 53 entities and caused $56 million in losses. Court documents show Zolotarjovs received 10% of negotiated ransom payments in cryptocurrency, which he converted to Russian rubles through multiple wallet transactions.

The case demonstrates law enforcement’s increasing success in tracking and prosecuting ransomware operators, particularly those involved in negotiation and money laundering activities rather than technical intrusions.

What This Means

The convergence of these security incidents highlights the evolving threat landscape where traditional boundaries between state-sponsored espionage, criminal ransomware operations, and infrastructure vulnerabilities increasingly overlap. The massive cPanel exploitation demonstrates how quickly threat actors can weaponize newly disclosed vulnerabilities at scale.

The Iranian APT false flag operation shows sophisticated actors adapting ransomware tactics for espionage purposes, potentially complicating attribution and response efforts. Meanwhile, infighting between ransomware groups provides rare visibility into criminal operations typically hidden from security researchers.

For organizations, these incidents underscore the critical importance of rapid patch deployment, robust backup strategies, and comprehensive incident response planning that accounts for both criminal and state-sponsored threats.

FAQ

How can organizations protect against cPanel exploitation?
Update to patched cPanel versions immediately (11.86.0.41 or later), follow cPanel’s compromise identification guidelines, and monitor for unauthorized administrative access. Organizations should also implement network segmentation to limit potential damage from compromised management interfaces.

What makes the Iranian APT false flag operation significant?
This represents a sophisticated blend of espionage and criminal tactics, where state-sponsored actors use ransomware infrastructure as cover for traditional intelligence gathering. The technique complicates attribution and may become more common as threat actors adapt to increased scrutiny.

Why did the Sandhills Medical breach take nearly a year to disclose?
Healthcare organizations often require extensive forensic analysis to determine the full scope of compromised patient data before public disclosure. The complexity of medical records and regulatory requirements can significantly extend investigation timelines, though this delay potentially increases patient risk.