A critical authentication bypass vulnerability in cPanel has been under active exploitation since February, two months before the vendor issued a patch. CVE-2026-41940 carries a CVSS score of 9.8 and allows unauthenticated attackers to gain complete administrative control over web hosting servers. At its peak, the Shadowserver Foundation recorded 44,000 compromised IP addresses participating in scanning and brute-force attacks.
cPanel disclosed the flaw on 28 April 2026 but KnownHost CEO Daniel Pearson confirmed to security researchers that his firm detected exploitation attempts as early as 23 February. The vulnerability affects all cPanel and WebHost Manager versions released after v11.40, covering approximately 1.5 million internet-facing instances according to Shodan scans conducted by Rapid7.
The authentication bypass stems from missing validation in the cpsrvd service daemon. Attackers manipulate the whostmgrsession cookie by omitting an expected segment bypassing the encryption process entirely. No zero-day exploits, no complex malware, just a malformed cookie that grants full server control.
Multi-Group Ransomware Campaigns Target Government Networks
The exploitation has evolved beyond opportunistic attacks. Censys researchers identified 8,859 hosts exposing directories with filenames ending in “.sorry”, the signature of a Go-based Linux ransomware that encrypts files and wipes backups to prevent recovery. Of those, 7,135 were confirmed as running cPanel or WHM.
Ctrl-Alt-Intel discovered an exposed attacker staging server on 2 May that revealed targeted operations against government and military entities. The threat actor focused on defence domains in the Philippines (*.mil.ph) and Laos (*.gov.la), alongside managed service providers across Canada, South Africa and the United States. The group relied on publicly available proof-of-concept code for CVE-2026-41940 but also deployed a separate custom exploit chain against an Indonesian defence training portal.
The scale of automated exploitation dropped from 44,000 compromised addresses on 30 April to 3,540 by 3 May, according to Shadowserver data. That decline suggests either patching progress or attackers consolidating their access to the most valuable targets.
CISA Adds to Known Exploited Vulnerabilities List
The US Cybersecurity and Infrastructure Security Agency added CVE-2026-41940 to its Known Exploited Vulnerabilities catalogue on Thursday, mandating federal agencies patch within four days. That timeline reflects the severity of ongoing exploitation rather than theoretical risk.
The vendor response timeline raises questions about disclosure practices. According to a webhosting.today source, the vulnerability “had been reported to cPanel approximately two weeks before the April 28 public advisory” and cPanel’s initial response was “that nothing was wrong.” Whether the reporter knew about in-the-wild exploitation remains unclear.
Hosting providers moved quickly once the advisory was published. KnownHost immediately blocked WHM and cPanel login ports across their network before implementing security updates, a response pattern other major hosting firms followed.
Patch Now, Verify Build Version, Check for Compromise
cPanel released patched versions on 28 April including 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20 and 11.136.0.5. WP Squared users need version 136.1.7.
Administrators can verify patch status by running /usr/local/cpanel/cpanel -V and confirming the build version reflects the patched release. Organisations using hosting providers should verify patch status directly with their vendor rather than assuming compliance.
For systems showing indicators of compromise, Linux server management provider Nocinit outlined steps to remove common persistence mechanisms such as stolen credentials, planted SSH keys, hidden cron jobs, leftover API tokens and sudoers backdoors. If compromise is confirmed, rebuilding from clean backups remains the safest recovery path.
cPanel has provided a detection script to help customers identify known indicators. Given that attackers had months of undetected access before the patch, any internet-facing cPanel instance should be treated as potentially compromised until proven otherwise.
References
- Over 40,000 Servers Compromised in Ongoing cPanel Exploitation
- cPanel Zero-Day Exploited for Months Before Patch Release
- Critical cPanel Vulnerability Weaponized to Target Government Networks
- CVE-2026-41940 cPanel & WHM Authentication Bypass
- cPanel Authentication Bypass Bug Exploited in the Wild
This post is also available in:
Svenska
Related News
Two 7-Zip Flaws Are Being Exploited. Both Were Patched Months Ago
Two vulnerabilities in 7-Zip are being exploited in the wild, and both were fixed before the attacks started. CVE-2025-0411 was patched in November 2024. CVE-2025-11001…
May 26, 2026 
Microsoft 365 Copilot Zero-Click Flaw Let Attackers Steal Data Via Email
Microsoft 365 Copilot contained a critical zero-click vulnerability that allowed attackers to exfiltrate sensitive company data simply by sending a malicious email. The flaw, discovered…
May 13, 2026