Severity: CRITICAL

The Threat

A previously unknown threat actor has been observed actively weaponizing a recently disclosed critical vulnerability in cPanel, one of the world's most widely deployed web hosting control panels. The campaign has already hit government and military entities in Southeast Asia, alongside managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the United States.

This is not a proof-of-concept. This is active, in-the-wild exploitation by a sophisticated actor who has moved fast from disclosure to weaponization. The targeting of South Africa confirms the threat actor has African infrastructure on its radar, and the MSP-targeting pattern is a direct warning signal for East Africa's growing hosting and managed services ecosystem.

cPanel is the backbone of web hosting for thousands of government portals, bank landing pages, fintech platforms, and enterprise websites across Kenya, Ethiopia, Somalia, Uganda, Tanzania, and Rwanda. If your hosting provider or internal team runs cPanel, you are exposed until patched.

Impact Assessment for East Africa

Government portals and e-citizen platforms in Kenya, Ethiopia, and Somalia frequently rely on shared hosting environments powered by cPanel. A successful exploit gives an attacker full administrative control over the hosting environment, meaning they can steal credentials, plant backdoors, deface public-facing sites, or pivot into internal networks.

For East African banks and fintechs, the risk is compounded. Many small-to-mid-tier financial institutions outsource their web presence to local MSPs that run cPanel. A single compromised MSP becomes a gateway into multiple client environments simultaneously. This is a classic supply chain attack surface that regulators under the Central Bank of Kenya (CBK) Cybersecurity Guidelines and the Bank of Tanzania's risk frameworks specifically call out as a third-party risk.

For telecoms and critical infrastructure operators using cPanel-based billing portals or customer self-service platforms, exploitation could expose subscriber data, triggering obligations under the Kenya Data Protection Act 2019 and equivalent frameworks in Uganda and Rwanda. Breach notification timelines are short, and penalties are real.

Immediate Actions - Do These Now

  • Patch cPanel immediately. Apply the latest security update from cPanel's official channels. Do not wait for your hosting provider to push it automatically. Confirm the patch version is applied and verify with your team.
  • Audit all MSP and third-party hosting relationships. Contact every hosting provider or MSP that manages any part of your web infrastructure and demand written confirmation of patch status within 24 hours. This is a third-party risk management obligation under ISO 27001 Annex A.15.
  • Review cPanel access logs for anomalous activity. Look for unexpected logins, new admin accounts, unfamiliar IP addresses, and unusual file modification timestamps. Threat actors in this campaign are known to establish persistence quickly after initial access.
  • Restrict cPanel access by IP whitelist. If cPanel's management interface is exposed to the public internet, lock it down to known IP ranges immediately. There is no operational reason for WHM or cPanel login pages to be publicly accessible.
  • Scan for webshells and backdoors. Use tools such as ClamAV, ImunifyAV, or a professional threat hunting engagement to check for webshells or malicious scripts that may have been planted before your patch was applied.

DRONGO Recommendation

DRONGO's SOC team is actively monitoring indicators of compromise linked to this campaign across East African infrastructure. If your organization relies on cPanel-based environments - directly or through a hosting partner - our team can conduct an emergency vulnerability assessment, review your third-party hosting risk posture, and confirm whether your environment has been touched.

Is your organization protected? Request a free security assessment.