CVE-2026-41940 carries a near-worst-case CVSS score of 9.8 and, if successfully exploited, "can hand over full control of the server."
CVE-2026-41940: what the bug is and where it lives
The vulnerability, tracked as CVE-2026-41940, affects all supported versions of cPanel and WebHost Manager (WHM) released after version 11.40, and also impacts WP Squared, a WordPress management layer built on the same platform. The U.S. government's cybersecurity agency has added the flaw to its Known Exploited Vulnerabilities catalog, a sign that exploitation is occurring in the wild.
According to the reporting, a successful exploit can hand over full control of the server — a high-impact outcome for any hosting stack that underpins customer websites and services.
Signs of exploitation: KnownHost, Namecheap, and a ransomware claim
Evidence that attackers were active before fixes were available came from multiple directions. The hosting provider KnownHost said, via a Reddit post by CEO Daniel Pearson, that it had "seen execution attempts as early as 2/23/2026" and urged users to restrict access and assume systems could already be compromised if left unpatched.
Namecheap, another provider named in the reporting, temporarily blocked access to cPanel and WHM while fixes were prepared and has since begun rolling out updates. cPanel itself shipped a patch on Tuesday, but the reporting makes clear that exploitation was already underway by that time; CISA added the bug to its catalog on Thursday.
There are early, anecdotal reports of criminal activity following exploitation. A small business owner posting on Reddit said their company — running a "fairly standard cPanel setup," according to the post — had been hit by ransomware; the attackers, the owner said, demanded $7,000 to unlock systems. If confirmed, the report would indicate the vulnerability is being used for destructive crime, not merely reconnaissance.
Scale and exposure: Rapid7's Shodan scan and the broader footprint
Security firm Rapid7 used Shodan to identify roughly 1.5 million internet-exposed cPanel instances. The reporting also notes that cPanel underpins hosting for tens of millions of sites, many of which are run by small organizations that rely on providers to handle security operations.
That combination — a near-critical vulnerability, public scanning results showing a large exposed population, and providers with mixed ability to deploy rapid fixes for all customers — frames the risk as both widespread and time-sensitive.
How hosting providers, small businesses, and CISA are responding
- Hosting providers (KnownHost, Namecheap): KnownHost reported seeing exploitation attempts as early as 2/23/2026 and urged customers to restrict access and assume compromise if unpatched. Namecheap temporarily blocked access to cPanel and WHM while rolling out updates.
- Small businesses (the Reddit victim): One small business owner reported a ransomware incident and said attackers demanded $7,000 to unlock systems, a claim that — if corroborated — shows operators with standard cPanel setups can be directly victimized.
- CISA and security firms (Rapid7): The U.S. government's cybersecurity agency added the bug to its Known Exploited Vulnerabilities catalog on Thursday, and Rapid7 used Shodan to estimate roughly 1.5 million internet-exposed instances, underscoring the urgency of mitigation.
The facts in this report point to a clear and present patch-and-verify problem: by the time a vendor ships a patch, some attackers were already probing and, according to at least one victim report, extorting targets. For many small operators who rely on hosting providers, the choice is not simply "patch now" but often "wait and hope" — a precarious stance when the flaw carries a 9.8 CVSS score and can grant full server control.
What remains to be seen in the days ahead is how quickly providers can roll updates to the exposed 1.5 million-plus instances Rapid7 identified, how many of those instances will show signs of compromise, and whether further active exploitation or follow-on campaigns will be observed. The immediate, concrete actions publicized so far are provider access restrictions, a vendor patch, CISA's catalog listing, and at least one reported ransomware demand for $7,000.
