"The vulnerable programs contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel," warned the U.S. Cybersecurity and Infrastructure Security Agency.
CVE-2026-41940: the flaw and its immediate technical implications
The vulnerability, tracked as CVE-2026-41940, carries a CVSS base score of 9.8 and was disclosed by the team behind the cPanel graphical interface and the WHM web host manager. The developers published a patch along with detailed remediation instructions, indicators of compromise and a detection script. Security firms that analyzed the flaw described it as an authentication bypass in the login flow that can be used by an attacker to execute code remotely on servers running the affected Linux software.
Scale of exposure: installations, versions, and compromise telemetry
WebPros, the Swiss firm that develops and maintains cPanel and WHM, reports the software runs on an estimated 70 million websites. According to the reporting, all supported versions of cPanel and WHM and the WP Squared WordPress management tool carry the vulnerability; all versions since 11.40, released in December 2023, are explicitly affected and older versions may be impacted as well.
Researchers and monitors have reported large, measurable exposure. Rapid7 said Shodan searches suggested roughly 1.5 million vulnerable cPanel instances remained internet-exposed as of Thursday. The Shadowserver Foundation reported honeypots recording scans tied to 44,000 cPanel installations "likely compromised" with CVE-2026-41940; of those, Shadowserver traced 15,200 to U.S. IP addresses, more than 4,000 each to France and Germany, and roughly 2,000 each to Canada, India, the Netherlands, Singapore and the United Kingdom.
What an attacker can do: root access, account compromise, and pivoting
Security firms spelled out the stakes if an attacker succeeds. watchTowr, which published a technical analysis and a proof-of-concept exploit, framed WHM and cPanel as administrative keys: "Think of it as the keys to the kingdom, and then the keys to every individual apartment inside the kingdom. If the kingdom was the internet and the apartments were websites."
Hadrian noted the privileged nature of WHM: "WHM grants root administrative access to the server. An attacker with this access can read every customer hosting account, modify files and databases, create backdoor accounts, install malware, steal credentials and pivot into customer networks." Those capabilities underline why defenders and operators characterize the flaw as critical.
Defensive actions taken: patches, detection, and temporary workarounds
cPanel published a patch and mitigation guidance, and provided indicators of compromise and a detection script to assist defenders. Rapid7 advised that organizations running on-premise instances "should prioritize upgrading to a fixed version on an emergency basis." The same firm acknowledged some hosting providers have temporarily instituted TCP port blocks for cPanel and WHM web services on ports 2083 and 2087 but emphasized defenders are "strongly advised to patch, rather than implement workarounds."
CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog on Thursday and set a deadline of this Tuesday for federal civilian agencies to remediate the flaw or temporarily discontinue using the software until remediation is complete.
How hosting customers, federal agencies, and hosting providers are responding
- Hosting customers: Many customers lack direct control over the cPanel software because it is supplied by their hosting provider; Hadrian observed they "depend on their hosting provider to patch," leaving end users reliant on provider action to gain protection.
- Federal civilian agencies: With CISA's inclusion of the flaw in its Known Exploited Vulnerabilities catalog and a remediation deadline of this Tuesday, agencies face a binary choice — remediate or temporarily discontinue use of the affected software until patched.
- Hosting providers: Some have implemented temporary TCP port blocks for cPanel & WHM services on ports 2083 and 2087 as an interim mitigation, while others will need to deploy the vendor's patched versions and follow published remediation instructions and detection guidance.
The factual record is stark: an authentication-bypass vulnerability with near-maximum severity has been disclosed in widely deployed control-panel software that, by design, grants root-level administration and broad access to hosted accounts. With published patches, detection tools and public telemetry showing large numbers of exposed and likely compromised instances, the decision now confronting operators and agencies is clear — apply the vendor fixes or accept the risk and, where required, discontinue use until remediation is complete.
Original story: https://www.govinfosecurity.com/attacks-surge-against-vulnerable-cpanel-whm-software-a-31571
