Act Now! ACSC warns of active exploitation of cPanel & WHM critical vulnerability

“The vulnerability is an authentication bypass, which can allow unauthenticated remote attackers to gain access to the control panel, as well as conduct remote code execution (RCE).”

The vulnerability – first disclosed by cPanel on 26 April – has a CVSS score of 9.8 and affects all versions of cPanel after 11.40, which dates back to 2013. A patch is available as of 30 April.

According to cyber security firm Rapid7, exploitation of CVE-2026-41940 may date back several months.

“A managed cPanel host, KnownHost, stated that CVE-2026-41940 is actively being exploited in the wild, with speculation of targeted zero-day exploitation happening as early as February 23, 2026, prior to the vulnerability’s public disclosure,” Rapid7 said in a blog post last updated on 1 May.

“Successful exploitation of CVE-2026-41940 grants an attacker control over the cPanel host system, its configurations and databases, and websites it manages. A naive Shodan query for potential targets returns approximately 1.5 million cPanel instances exposed to the internet that may be vulnerable.”

Benjamin Harris, CEO and founder of watchTowr, said the vulnerability impacts a “meaningful chunk of the internet” and that many providers were scrambling to address the issue.

VIEW ALL

“Within hours of the advisory dropping, nearly every major hosting provider on the planet had firewalled their own customers off their own product. hosting.com, Namecheap, KnownHost, HostPapa, InMotion, and the rest all pulled the emergency brake because the alternative was watching their entire customer base get owned in real-time,” Harris said.

“Once again, we’re running around with half the internet seemingly ablaze, and given the increased usage of AI in vulnerability research, we anticipate this new normal to become increasingly familiar.”

You can read watchTowr’s full analysis here.