cPanel Zero-Day Exploit Targets Gov, MSP Networks

Security researchers have uncovered an active campaign by a previously unknown threat group that is exploiting a critical, as‑yet‑unpatched vulnerability in cPanel to infiltrate government and military organizations across Southeast Asia. The attack chain also extends to a limited set of managed service providers (MSPs) and hosting companies, suggesting a strategic focus on high‑value infrastructure that can serve as a springboard for further intrusions.

The flaw, which resides in cPanel’s web‑based management interface, allows unauthenticated remote code execution under specific configurations. Threat actors are leveraging phishing‑crafted credentials and the vulnerability to drop a lightweight backdoor that maintains persistence through scheduled tasks. Early indicators of compromise include unusual outbound traffic on ports 443 and 8080, as well as the presence of a modified cPanel binary with a timestamp matching the exploit window.

The campaign’s primary targets are ministries of defense, intelligence agencies, and adjacent civilian agencies in the region, while the secondary cluster of MSPs appears to be a conduit for scaling the operation. Once a provider’s server is compromised, the attackers can pivot to client networks, amplifying the potential blast radius of the intrusion.

Organizations using cPanel are urged to apply any available security updates, restrict access to the management UI to trusted IP ranges, and monitor for the identified IOCs. Until an official patch is released, deploying web application firewalls with custom rules to block the exploit patterns and enabling enhanced logging for authentication events can help mitigate risk.