CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation Wave
Summary
Hide ▲
Show ▼
Active exploitation of CVE-2026-41940 is driving a large cPanel & WHM compromise wave, putting exposed servers at risk of administrative takeover. More than 40,000 servers have likely been compromised, showing that the attack has moved well beyond isolated probing. The flaw can hand unauthenticated attackers admin access, letting them control managed sites, databases, and configurations.
Cases
Related Happenings
Magento exploitation wave for CVE-2026-45247
Exploitation Wave
H score9
First: 04.06.2026 10:19
Last: 04.06.2026 10:19
Sources 1
About this happening:
Active exploitation of **CVE-2026-45247** is hitting **Mirasvit Cache Warmer** on **Magento** stores, with malicious requests carrying serialized PHP payloads that can lead to **r...
Magento exploitation wave for CVE-2026-45247
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-45247** is hitting **Mirasvit Cache Warmer** on **Magento** stores, with malicious requests carrying serialized PHP payloads that can lead to **r...
HTTP/2 servers HPACK flow-control DoS denial-of-service flaw (CVE-2026-49975)
Vulnerability
H score26
First: 03.06.2026 22:08
Last: 03.06.2026 22:08
Sources 1
About this happening:
**HTTP/2 servers** were found vulnerable to the **HTTP/2 Bomb** DoS weakness, where **HPACK compression amplification** plus **HTTP/2 flow-control stalling** lets a single client...
HTTP/2 servers HPACK flow-control DoS denial-of-service flaw (CVE-2026-49975)
VulnerabilityAbout this happening: **HTTP/2 servers** were found vulnerable to the **HTTP/2 Bomb** DoS weakness, where **HPACK compression amplification** plus **HTTP/2 flow-control stalling** lets a single client...
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation Wave
H score46
First: 17.05.2026 14:57
Last: 17.05.2026 14:57
Sources 1
About this happening:
**openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation WaveAbout this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
Filemanager backdoor delivered on compromised cPanel environments
Malware Activity
H score33
First: 11.05.2026 20:54
Last: 11.05.2026 20:54
Sources 1
How related:
In the infection sequence analyzed by XLab, Filemanager is delivered via a shell script downloaded from the "wpsock[.]com" domain. The backdoor supports file management, remote command execution, and shell functionality.
About this happening:
The **Filemanager** backdoor is being deployed on **compromised cPanel/WHM systems**, giving attackers **remote command execution** and shell access. It is delivered through a **s...
Filemanager backdoor delivered on compromised cPanel environments
Malware ActivityHow related: In the infection sequence analyzed by XLab, Filemanager is delivered via a shell script downloaded from the "wpsock[.]com" domain. The backdoor supports file management, remote command execution, and shell functionality.
About this happening: The **Filemanager** backdoor is being deployed on **compromised cPanel/WHM systems**, giving attackers **remote command execution** and shell access. It is delivered through a **s...
CPanel security patch release for CVE-2026-29201
Security Patch Release
H score34
First: 09.05.2026 10:16
Last: 09.05.2026 10:16
Sources 1
About this happening:
**cPanel** released updates for **cPanel and Web Host Manager (WHM)** to fix **three vulnerabilities** that could enable **privilege escalation**, **code execution**, or **denial-...
CPanel security patch release for CVE-2026-29201
Security Patch ReleaseAbout this happening: **cPanel** released updates for **cPanel and Web Host Manager (WHM)** to fix **three vulnerabilities** that could enable **privilege escalation**, **code execution**, or **denial-...
Timeline
-
04.05.2026 11:25 2 articles · 2mo ago
Active CVE-2026-41940 exploitation hits cPanel & WHM servers
Campaign Scope UpdateThreat actors are actively exploiting CVE-2026-41940 against internet-facing cPanel & WHM instances, enabling unauthenticated administrative access that can compromise host systems, configurations, databases, and websites. Defenders observed scanning, exploit, and brute-force activity tied to more than 40,000 likely compromised servers, while cPanel published fixed releases and CISA added the CVE to the KEV catalog.
Show sources
- Over 40,000 Servers Compromised in Ongoing cPanel Exploitation — www.securityweek.com — 04.05.2026 11:25
- cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor — thehackernews.com — 11.05.2026 20:54