The Exploit Record: How Government Networks Keep Getting Breached

The Short Version

• A commercial hosting product became a military intelligence target. CVE-2026-41940 in cPanel reached government networks in Guam, Philippine military units, and Lao ministries, exploited for roughly two months before a patch existed.
• The federal cybersecurity agency was breached through the tool it had just ordered everyone to patch. CISA itself fell to the Ivanti Connect Secure vulnerabilities it had issued an Emergency Directive about days earlier, with the European Commission hit by new Ivanti EPMM CVEs in January 2026.
• Five years of undetected access inside US power, water, and transportation networks. Volt Typhoon, the Chinese state actor, used only living-off-the-land techniques and compromised SOHO routers, with no custom malware and no anomalous behaviour, for half a decade.
• The system US law enforcement uses to surveil others was surveilled by China. Salt Typhoon accessed the CALEA lawful intercept infrastructure and obtained the near-complete list of phone numbers under active US surveillance, plus audio of Trump and Vance campaign staff calls.
• One vendor’s zero-day became a federal compromise vector in four days. MOVEit CVE-2023-34362 cascaded through the Department of Energy, OPM, DOJ, multiple DoD components, and the records of 95,000 children in Minnesota’s foster care system.
• Patching did not clean the device. Fortinet’s CVE-2024-21762 came with a backdoor that survived firmware updates through a symbolic-link persistence trick. Organisations that thought they had patched remained compromised.
• The federal patch cadence itself is breaking down. CISA’s catalog of actively exploited vulnerabilities grew 20% in one year, with patch deadlines compressed from 19.7 to 14.4 days and 3-day windows now proposed for the most critical CVEs.

The Structural Numbers Before the Case Files

Before the cases, the baseline:

• Global average breach cost (2024): $4.88 million, up 10% year-over-year (IBM Cost of a Data Breach Report)
• Public sector average: below the all-industry mean per IBM 2024 report
• Average breach lifecycle: 258 days from initial intrusion to containment
• CISA Known Exploited Vulnerabilities catalog: 1,484 entries at end of 2025, up from 1,239 at end of 2024 (+20%)
• Ransomware-linked exploits in KEV: 304 entries (20.5% of catalog)
• Federal patch deadline compression: 19.7 days (2025) → 14.4 days (2026), proposed 3 days for the most critical CVEs

The lower public-sector breach cost does not mean governments are managing incidents better. It reflects what is disclosed and quantifiable, not the national security value of exfiltrated intelligence, the cost of compromised surveillance operations, or the long-term damage from multi-year intrusions in critical infrastructure that were never publicly reported. For 258 days on average, the breach is happening.

The deadline compression is an explicit admission: longer patch windows are not being used effectively.

Case 1: cPanel CVE-2026-41940 in Guam, Philippines, and Laos

Key facts. Authentication bypass via CRLF injection in cPanel and WHM login and session-loading. CVSS 9.8. Exploited as zero-day from February 23, 2026 (roughly two months before patch). Patch released April 28, 2026. Active targeted exploitation confirmed May 2, 2026. Estimated 1.5 million internet-exposed cPanel server instances globally.

The technical mechanism: an attacker sends an HTTP request with a Basic Authorization header containing raw carriage return and line feed characters. These inject arbitrary session properties, including user=root, directly into unvalidated session files. The result is complete authentication bypass without credentials.

On May 2, the Government of Guam activated its cyber incident response procedures after multiple government websites were confirmed compromised. Affected sites:

• guamlegislature.gov
• Office of Technology (otech.guam.gov)
• Guam Police Department (gpd.guam.gov)

Governor Lou Leon Guerrero notified the FBI, CISA, and the Mariana Regional Fusion Center. Authorities reviewed worst-case scenarios including data exfiltration, deletion, and ransomware encryption. No confirmed theft of sensitive personal data was disclosed in the incident announcement.

The government and military targeting documented by threat intelligence firm Ctrl-Alt-Intel was specific. Confirmed targets in the Philippines:

• Philippine Coast Guard
• Philippine Air Force 15th Strike Wing
• Philippine Government Arsenal (Department of National Defense)

Confirmed targets in Laos:

• Ministry of National Defence
• Ministry of Natural Resources and Environment

Hosting-sector victims: MSPs and hosting providers in the Philippines, Laos, Canada, South Africa, and the United States, with KnownHost and Namecheap among named victims.

The actor deployed the AdaptixC2 command-and-control framework with OpenVPN and Ligolo for persistent access and network pivoting, and used a masqueraded systemd service named systemd-update.service to maintain access across reboots.

The more significant finding from Ctrl-Alt-Intel was what the campaign’s exposed C2 server revealed beyond the cPanel intrusions. The same threat actor had conducted a separate operation in March 2026, weeks before CVE-2026-41940 was publicly known, exfiltrating 110 files totaling approximately 4.37 GB from the China Railway Society Electrification Committee. The stolen files span 2020 to 2024 and include conference materials, engineering documents on traction power and high-speed rail systems, and payment workbooks containing names, PRC national ID numbers, bank account numbers, and phone numbers.

The same actor also deployed a custom SQL injection exploit chain against an Indonesian defence-sector training portal, bypassing its CAPTCHA by reading the expected value from the server-issued session cookie, then escalating to remote code execution via PostgreSQL’s COPY ... TO PROGRAM capability. The attacker’s Python tooling contained Vietnamese-language comments throughout. Ctrl-Alt-Intel declined to attribute the campaign to any specific country, noting the comments could be a deliberate false flag.

The picture this paints is concrete: CVE-2026-41940 was one tool in the toolkit of an actor already conducting regional intelligence collection for months before the cPanel zero-day became public. cPanel’s prevalence in government and hosting infrastructure globally meant the zero-day reached military networks that would not otherwise be accessible through a single commercial hosting product.

A Compromised Server Is the Beginning. Here Is What Breach Law Requires Next.

Case 2: Ivanti Connect Secure at CISA and the European Commission

Key facts. CVE-2023-46805 (CVSS 8.2, authentication bypass) + CVE-2024-21887 (CVSS 9.1, command injection) chained for unauthenticated remote code execution. CISA Emergency Directive issued January 19, 2024. Physical disconnection ordered February 1, 2024. ~2,200 devices compromised globally before mitigation. CISA itself was breached through the same vulnerabilities. Continued in January 2026 with CVE-2026-1281 and CVE-2026-1340 (Ivanti EPMM, CVSS 9.8) hitting the European Commission within 24 hours of disclosure.

On January 19, 2024, CISA issued an Emergency Directive ordering all US federal civilian agencies to immediately mitigate the two Ivanti Connect Secure vulnerabilities. On February 1, 2024, CISA escalated and ordered agencies to physically disconnect all Ivanti Connect Secure and Policy Secure products within 48 hours.

In early March 2024, CISA confirmed that two of its own systems running Ivanti products had been compromised. The breached systems:

• A system containing data on critical infrastructure interconnections, specifically the tools used by water utilities, chemical facilities, and other critical sector operators to share data with the federal government.
• A system related to CISA’s chemical security program.

Attackers had stolen device credentials and in some cases compromised domain accounts. The agency responsible for federal cybersecurity was breached through vulnerabilities in its own security infrastructure, during the same period it was directing every other federal agency to patch those vulnerabilities.

In January 2026, a new pair of critical Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities (CVE-2026-1281 and CVE-2026-1340) hit the European Commission within 24 hours of disclosure. The January 30, 2026 attack accessed names and mobile numbers of European Commission staff before being contained in 9 hours. Additional confirmed victims in the same campaign:

• Dutch Data Protection Authority (employee names, emails, phones stolen)
• Dutch Judicial Council (same data set)
• Finnish government
• UK healthcare networks
• Canadian government systems
• Singapore-based organisations

Researchers discovered “sleeper” webshells planted in compromised instances for future re-entry after patching.

Case 3: Volt Typhoon and Five Years Inside US Critical Infrastructure

Key facts. PRC state-sponsored actor (also tracked as VANGUARD PANDA, BRONZE SILHOUETTE). Targets: US communications, energy, transportation systems, and water/wastewater sectors. Joint advisory from CISA, NSA, FBI plus Australia, Canada, UK, New Zealand on February 7, 2024. Up to five years of undetected access at some victims. Goal: pre-positioning for destructive or disruptive attacks during a potential military conflict with China, not intelligence collection.

Most of the cases in this article involve data theft, ransomware, or credential harvesting. Volt Typhoon is different. The operational method was designed specifically to avoid detection:

• Living off the land: exclusive use of legitimate system tools and built-in administrative commands.
• Compromised SOHO routers as proxy relay nodes: Cisco, Netgear, Asus units used to mask Chinese origin of traffic.
• No custom malware. No unusual processes. No anomalous software installation.
• Just administrative tools doing administrative things, for five years, on critical infrastructure networks.

In January 2024, the FBI announced court-authorised operations to remove Volt Typhoon implants from compromised routers on US soil. Removal from the edge devices does not address what dwell time on critical infrastructure networks for multi-year periods produces in terms of network mapping, access credential collection, and operational understanding of the target systems’ failure modes.

cPanel Patched Five More CVEs. One Fix Is Already Reported Incomplete.

Case 4: Salt Typhoon Compromises the US Wiretap System

Key facts. Chinese Ministry of State Security operation. Active 1-2 years before September 2024 public exposure. Nine US telecom companies confirmed compromised, including Verizon, AT&T, T-Mobile, Lumen, Spectrum. 80+ countries targeted. CALEA lawful intercept infrastructure breached: the system US telecom carriers are legally required to maintain so that law enforcement can conduct court-authorised surveillance. FBI announced a $10 million bounty on Salt Typhoon individuals in April 2025.

Entry vectors (combination of perimeter security CVEs):

• CVE-2024-3400 (PAN-OS GlobalProtect, CVSS 10.0)
• CVE-2024-21887 (Ivanti Connect Secure, the same CVE that hit CISA)
• CVE-2023-20198 and CVE-2023-20273 (Cisco IOS XE)
• CVE-2021-26855 (legacy Microsoft Exchange ProxyLogon, still being exploited years after patches were available)

The critical breach was the CALEA system. Salt Typhoon accessed it and obtained:

• A near-complete list of phone numbers under active US surveillance, identifying which Chinese intelligence operatives had been identified by US counterintelligence.
• Audio recordings of calls involving Trump and JD Vance campaign staff.
• Metadata covering call timestamps, source and destination IPs, and phone numbers for over 1 million users.

The escalation continued through 2024 and 2025:

• March-December 2024: extensively compromised a US state’s Army National Guard network, stealing administrator credentials, network traffic diagrams, geographic location maps of state facilities, and PII of service members.
• June 2025 DHS memo (obtained via FOIA): documented Salt Typhoon exfiltration of 1,462 network configuration files from approximately 70 government agencies and critical infrastructure organisations across 12 sectors. Those configuration files were being reused to exploit additional agencies.
• December 2025: multiple US House of Representatives committees confirmed compromised.

Case 5: MOVEit CVE-2023-34362 Cascades Through Federal Agencies

Key facts. SQL injection zero-day in Progress Software’s MOVEit Transfer managed file transfer product. Exploited by Cl0p (Russian-affiliated ransomware group) from May 27, 2023. Patch available May 31, 2023 (4 days). ~2,700 organisations compromised. 93.3 million individuals exposed. Over 80% of confirmed victims US-based.

Confirmed federal victims included:

• Department of Energy (two entities: Oak Ridge Associated Universities and the Waste Isolation Pilot Plant in Carlsbad, New Mexico, which received ransom demands)
• Office of Personnel Management (government employee email addresses and internal tracking codes)
• Department of Justice
• Department of Defense components: Air Force, Army, US Army Corps of Engineers, Office of the Secretary of Defense
• Louisiana Office of Motor Vehicles and Oregon Driver and Motor Vehicle Services (millions of residents’ data)
• Minnesota Department of Education: names, dates of birth, and placement counties of approximately 95,000 children in foster care

The MOVEit breach is the clearest illustration of the supply chain risk in government IT procurement. The affected agencies were not running MOVEit because of negligence. They were running it because it was on approved vendor lists, widely deployed, and integrated into federal data-sharing workflows. One SQL injection zero-day in one vendor’s product cascaded through dozens of federal agencies simultaneously. The patch window in which the damage could have been contained was four days.

Nginx Just Patched old Rewrite Module Flaw. RCE Was Possible With a Single HTTP Request.

Case 6: Fortinet and the Backdoor That Survived Firmware Updates

Key facts. Multiple critical FortiOS and FortiGate CVEs. CVE-2024-21762 (CVSS 9.8, FortiOS SSL VPN RCE) added to CISA KEV on February 9, 2024, the day after disclosure. CVE-2024-55591 (CVSS 9.8, auth bypass) exploited from November 2024, public January 14, 2025. ~48,000 internet-facing FortiGate devices affected. Persistent malicious files survived firmware updates via SSL-VPN language file symbolic link.

Fortinet products, widely deployed as perimeter security devices in government and enterprise networks, have been the entry point for multiple major campaigns. CVE-2024-21762 was exploited by:

• Akira ransomware
• Qilin ransomware
• Chinese state-linked actors

In April 2025, Fortinet disclosed that threat actors had planted malicious files in compromised FortiGate devices that survived firmware updates. The persistence mechanism used a symbolic link in the customer SSL-VPN language file folder to maintain read-only access to the file system, including configuration files and credentials, even after the vulnerability was patched and the device was rebooted. Organisations that patched CVE-2024-21762 months earlier may have remained compromised through this persistence mechanism without knowing it.

The escalation continued:

• January 15, 2025: a group identifying as “Belsen Group” published on the dark web a dump of stolen data from approximately 15,000 organisations, including firewall configurations, IP addresses, and credentials.
• A LockBit-linked actor operating as “Mora_001” chained CVE-2024-55591 with CVE-2025-24472 (second authentication bypass disclosed February 11, 2025) to deploy a stripped variant of LockBit 3.0 called “SuperBlack”.
• December 2025: federal agencies given a one-week deadline (until December 23, 2025) to mitigate two additional critical Fortinet authentication bypasses (CVE-2025-59718 and CVE-2025-59719). The compressed deadline indicates active exploitation at disclosure.

DirtyFrag: Any User Account Can Become Root on Most Linux Servers. The Exploit Is Public. There Is No Patch.

Six Cases at a Glance

Cross-case reference for security teams and procurement decision-makers:

What All Six Cases Share

Across these cases, the technical details differ but the structural pattern does not.

• Perimeter security and network management products from the approved vendor ecosystem (cPanel, Ivanti, Fortinet, Palo Alto Networks, Progress Software) are the consistent entry points. These are not obscure tools; they are specifically mandated or recommended for government use, deployed at scale because they are widely trusted.
• The Ivanti incidents are the sharpest version of the problem. A product category called “secure access” or “VPN gateway” became one of the most reliable initial access vectors in 2024-2025. CISA’s own Ivanti systems were compromised in the same exploitation wave CISA was directing agencies to remediate. The European Commission was breached through Ivanti EPMM within hours of a new CVE pair’s disclosure.
• Volt Typhoon’s five-year dwell time is the extreme case of what this structural vulnerability enables over time. Pre-positioned access on energy, water, and transportation infrastructure, established through compromised SOHO routers and maintained through legitimate administrative tools, represents an attack surface categorically different from a ransomware incident.
• The patch window itself is the false security. CVE-2026-41940 was exploited for roughly two months before a patch existed. CVE-2024-55591 was exploited for approximately two months before public disclosure. CVE-2023-34362 was exploited for 4 days before a patch. In each case, the window for unpatched exploitation was not days or weeks on the calendar; it was the operational window for campaigns that extracted credentials, planted persistence mechanisms, and moved laterally before patching was even possible.

The CISA KEV deadline compression from 19.7 days to 14.4 days to a proposed 3-day window is an admission that the existing patch cadence is incompatible with the exploitation speed of modern campaigns. Shorter CISA deadlines address the post-disclosure patching problem. They do not address the zero-day exploitation problem that precedes them.

Three cPanel Patches and DirtyFrag Fixes in One Day. Here Is Where Things Stand.

Five Audits Worth Doing Before the Next Disclosure

Five concrete actions that follow from the pattern across all six cases:

1. Audit perimeter security product exposure. Inventory every Ivanti, Fortinet, Palo Alto Networks, Progress Software, and cPanel deployment with internet-facing access. These are the consistent entry points across all six cases. Anything internet-exposed from this vendor list deserves a fresh look this quarter.
2. Validate that “patched” actually means “clean.” Fortinet’s symbolic-link persistence trick survived firmware updates. Treat patched as a starting point, not an end state, until verified through configuration audit, credential rotation, and forensic baseline comparison.
3. Monitor for living-off-the-land indicators on critical infrastructure networks. Volt Typhoon ran for five years using only legitimate administrative tools. Conventional malware detection misses this. Watch for unusual administrative command patterns, lateral movement through legitimate accounts, and SOHO router compromise as relay nodes (Cisco, Netgear, Asus models specifically).
4. Treat the pre-disclosure exploitation window as the real risk surface. CISA KEV deadlines protect against post-disclosure exploitation. They do not protect against the average 60-day-plus pre-disclosure exploitation window that affected cPanel and Fortinet. Threat models need to account for this gap, not just patch cadence after a CVE goes public.
5. For hosting providers and MSPs: vendor approval is not security. The MOVEit, cPanel, and Ivanti cases all reached government and military networks through commercial hosting and approved-vendor infrastructure. Customers and procurement teams treated vendor approval as a security signal. The six cases show it is not.

Three Predictions from the Pattern

Three structural shifts likely in the next twelve months:

1. Compressed exploitation windows from disclosure to weaponisation. The CISA 3-day deadline proposal exists because attackers are operationalising new CVEs in hours, not weeks. This trend will continue as automated exploit chains and AI-assisted exploit development lower the time-to-weaponise.
2. More Volt Typhoon-style pre-positioning, fewer ransomware-style headlines. Once a state actor demonstrates multi-year stealth access on critical infrastructure, others replicate the method. The visible cases (ransomware, data theft) are the noisy ones. The strategic ones increasingly look like Volt Typhoon: nothing observable, until something happens.
3. Pressure on approved-vendor-list policy. Every case in this file involved a vendor on a federal approved list. That correlation will eventually surface in procurement reform, vendor liability debate, or both. The current model where “approved” implies “safe to deploy at scale across critical infrastructure” is becoming politically untenable.