Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact
Vulnerability Security Patch Release ×2 Advisory/Mitigation Campaign Exploitation Wave

CVE-2026-41940 exploitation pushes cPanel and WHM remediation

Updated 11.05.2026 20:54
Case score 70
Case score 70 Members 6 Latest activity 11.05.2026 20:54
Active exploitation KEV: CISA KEV Patch status varies by member CVSS: 9.8 Critical
Members 6 First seen 29.04.2026 12:37 Last seen 04.05.2026 12:27 Updated 11.05.2026 20:54

Overview

**CVE-2026-41940** in **cPanel and WHM** is an authentication-bypass flaw that moved into active exploitation and a broader compromise wave soon after disclosure. Available evidence ties the activity to internet-facing hosting systems, with more than **40,000** servers described as likely compromised and a separate campaign using public proof-of-concepts, persistence, and tunneling tools against government, military, MSP, and hosting targets. cPanel, WebPros, and CISA have all pushed remediation pressure into the response: fixed builds are available, mitigation guidance covers port blocks and service shutdowns, and the flaw is in **CISA KEV** with a **May 3, 2026** federal deadline. Current evidence still leaves full compromise scope unresolved, so unpatched or unsupported systems should be treated as exposed.

Signals

13 derived
Exploitation
Exploitation Active exploitation CVSS 9.8 Critical
Affected impact
Affected service
CVEs/products
CVE
Victims/regions
Sector government Sector military Victim region United States Victim region France
Remediation
Urgency Immediate Remediation KEV CISA KEV
Status
Campaign status Active
Threat context
Tooling

Malware context

4 families · 4 tools
Tools
AdaptixC2 Ligolo OpenVPN cPanel Sniper

Member happenings

6 related
Vulnerability CPanel and WHM authentication bypass (CVE-2026-41940)
Updated 29.04.2026 12:37 Lead Contribution 64
Exploitation Active Exploitation Exploit No Known Public Exploit CVSS 9.8 Critical Patch Patch Available

**cPanel and WHM** are affected by **CVE-2026-41940**, an **authentication bypass** in the login flow that can let **unauthenticated remote attackers** gain control-panel access. The flaw is rated **9.8/10.0**, has a **patch available**, and was reported as **actively exploited as a 0-day**, raising immediate risk for exposed servers. cPanel has pushed fixes across supported versions and urged operators to update right away.

View happening
Exploitation Wave CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Updated 04.05.2026 11:25 Scoring Support Contribution 3
Exploitation Active Exploitation CVSS 9.8 Critical Patch Patch Available

Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 servers** have likely been compromised, showing that the attack has moved well beyond isolated probing. The flaw can hand unauthenticated attackers **admin access**, letting them control managed sites, databases, and configurations.

View happening
Campaign CPanel authentication-bypass and persistent-access campaign targeting Southeast Asia
Updated 04.05.2026 12:27 Scoring Support Contribution 3
Objective Espionage Campaign Active Patch Patch Available

A **previously unknown threat actor** ran a **cPanel authentication-bypass campaign** that combined public exploit code and custom access tooling to reach government, military, MSP, and hosting targets across Southeast Asia and beyond. The activity mattered because it paired **initial access**, **persistence**, and **internal pivoting**, raising the risk of follow-on compromise and collection. The same access layer was later used to exfiltrate **Chinese railway-sector documents** from an internal network.

View happening
Security Patch Release CPanel and WHM emergency update for critical auth-bypass
Updated 29.04.2026 18:51 Context
Urgency Immediate Patch Patch Available

**WebPros International** released an **emergency update** for **cPanel** and **WHM** after a critical **authentication-bypass** flaw could expose supported installations to **unauthorized control-panel access**. The bulletin covers patched releases for the affected hosting software and directs administrators to run **/scripts/upcp –force** to retrieve the safe version. Because these tools are widely deployed for server and website management, prompt installation is important on internet-facing systems.

View happening
Advisory/Mitigation CPanel CVE-2026-41940 mitigation guidance
Updated 30.04.2026 14:40 Context
Exploitation Active Exploitation CVSS 9.8 Critical Urgency Immediate Patch Patch Available

cPanel issued mitigation guidance for **CVE-2026-41940** after fixes became available for **cPanel, WHM, and WP Squared**, urging customers to restart **cpsrvd** to reduce exposure. If patching is not immediately possible, operators should block external access to **2083**, **2087**, **2095**, and **2096**, or stop the **cpsrvd** and **cpdavd** core services. The vendor also provided a detection script and recommended purging sessions, resetting credentials, auditing logs, and checking for persistence if compromise indicators appear.

View happening
Security Patch Release CPanel security patch release for CVE-2026-41940
Updated 29.04.2026 12:37 Context
Exploitation Active Exploitation CVSS 9.8 Critical Urgency Immediate Patch Patch Available

**cPanel** released **security updates** for **cPanel and WHM** after an **authentication bypass** flaw could let remote attackers reach control-panel access, with fixes now covering multiple supported builds and **WP Squared 136.1.7**. The update set spans several named releases, and cPanel told operators of unsupported versions to move to a supported build as soon as possible. Administrators were also told to apply the patch immediately, while temporary mitigations blocked **2083/2087/2095/2096** or stopped **cpsrvd** and **cpdavd** until deployment.

View happening