Vulnerability
Security Patch Release ×2
Advisory/Mitigation
Campaign
Exploitation Wave
CVE-2026-41940 exploitation pushes cPanel and WHM remediation
Updated 11.05.2026 20:54
Case score 70
Score breakdown
- Total
- 70
- Lead score
- 64
- Support bonus
- +6 / 20
- Scoring support
- 2
- Context members
- 3
Top contributors
- Vulnerability Critical authentication-bypass flaw in cPanel and WHM anchors the case. base
- Advisory Mitigation Vendor containment and detection guidance explains the response posture. context
- Security Patch Release Initial patch release and fixed builds define the remediation path. context
- Exploitation Wave Broad exploitation wave and likely-compromise reporting strengthen the active-abuse picture. support
Case score 70
Members 6
Latest activity 11.05.2026 20:54
Active exploitation
KEV: CISA KEV
Patch/mitigation varies by member
CVSS: 9.8 Critical
Active exploitation
KEV: CISA KEV
Patch/mitigation varies by member
CVSS: 9.8 Critical
Members 6
First seen 29.04.2026 12:37
Last seen 04.05.2026 12:27
Updated 11.05.2026 20:54
Overview
**CVE-2026-41940** in **cPanel and WHM** is an authentication-bypass flaw that moved into active exploitation and a broader compromise wave soon after disclosure. Available evidence ties the activity to internet-facing hosting systems, with more than **40,000** servers described as likely compromised and a separate campaign using public proof-of-concepts, persistence, and tunneling tools against government, military, MSP, and hosting targets.
cPanel, WebPros, and CISA have all pushed remediation pressure into the response: fixed builds are available, mitigation guidance covers port blocks and service shutdowns, and the flaw is in **CISA KEV** with a **May 3, 2026** federal deadline. Current evidence still leaves full compromise scope unresolved, so unpatched or unsupported systems should be treated as exposed.
Attackers are exploiting **CVE-2026-41940** in **cPanel and WHM**, an authentication-bypass flaw that can let unauthenticated remote attackers reach control-panel access.
The abuse appears to have started as a zero-day in late February 2026 and intensified after disclosure and technical analysis, with a broad compromise wave that includes more than **40,000** servers described as likely compromised. The footprint is concentrated in the United States and also appears in France and the Netherlands. The flaw was later added to **CISA's KEV catalog**, which set a **May 3, 2026** deadline for Federal Civilian Executive Branch agencies to apply the patch.
cPanel also published fixed builds for supported **cPanel and WHM** branches and **WP Squared 136.1.7**, and told administrators to run **/scripts/upcp --force** or temporarily block ports **2083**, **2087**, **2095**, and **2096** until systems were updated. The vendor mitigation guidance added containment steps such as restarting **cpsrvd**, stopping **cpsrvd** and **cpdavd** when needed, and using the detection script to look for session abuse or persistence.
A separate campaign used public proof-of-concepts for **CVE-2026-41940** against government, military, MSP, and hosting targets, then kept access with **AdaptixC2**, **OpenVPN**, and **Ligolo**. That activity also used **systemd** persistence and later led to internal pivoting and exfiltration of Chinese railway-sector documents. Available evidence still does not fix the full compromise count or confirm every exposed server as breached, so defenders still need to assume residual risk on unpatched and unsupported systems.