CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation Wave
Summary
Hide ▲
Show ▼
Active exploitation of CVE-2026-41940 is driving a large cPanel & WHM compromise wave, putting exposed servers at risk of administrative takeover. More than 40,000 servers have likely been compromised, showing that the attack has moved well beyond isolated probing. The flaw can hand unauthenticated attackers admin access, letting them control managed sites, databases, and configurations.
Cases
Related Happenings
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation Wave
First: 17.05.2026 14:57
Last: 17.05.2026 14:57
Sources 1
About this happening:
**openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation WaveAbout this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
Filemanager backdoor delivered on compromised cPanel environments
Malware Activity
First: 11.05.2026 20:54
Last: 11.05.2026 20:54
Sources 1
How related:
In the infection sequence analyzed by XLab, Filemanager is delivered via a shell script downloaded from the "wpsock[.]com" domain. The backdoor supports file management, remote command execution, and shell functionality.
About this happening:
The **Filemanager** backdoor is being deployed on **compromised cPanel/WHM systems**, giving attackers **remote command execution** and shell access. It is delivered through a **s...
Filemanager backdoor delivered on compromised cPanel environments
Malware ActivityHow related: In the infection sequence analyzed by XLab, Filemanager is delivered via a shell script downloaded from the "wpsock[.]com" domain. The backdoor supports file management, remote command execution, and shell functionality.
About this happening: The **Filemanager** backdoor is being deployed on **compromised cPanel/WHM systems**, giving attackers **remote command execution** and shell access. It is delivered through a **s...
CPanel security patch release for CVE-2026-29201
Security Patch Release
First: 09.05.2026 10:16
Last: 09.05.2026 10:16
Sources 1
About this happening:
**cPanel** released updates for **cPanel and Web Host Manager (WHM)** to fix **three vulnerabilities** that could enable **privilege escalation**, **code execution**, or **denial-...
CPanel security patch release for CVE-2026-29201
Security Patch ReleaseAbout this happening: **cPanel** released updates for **cPanel and Web Host Manager (WHM)** to fix **three vulnerabilities** that could enable **privilege escalation**, **code execution**, or **denial-...
MetInfo CMS unauthenticated PHP code injection actively exploited remote code execution flaw (CVE-2026-29014)
Vulnerability
First: 05.05.2026 14:56
Last: 05.05.2026 14:56
Sources 1
About this happening:
**CVE-2026-29014** in **MetInfo CMS** is **actively exploited**, putting **versions 7.9, 8.0, and 8.1** at risk of **remote code execution** and full server takeover. **MetInfo**...
MetInfo CMS unauthenticated PHP code injection actively exploited remote code execution flaw (CVE-2026-29014)
VulnerabilityAbout this happening: **CVE-2026-29014** in **MetInfo CMS** is **actively exploited**, putting **versions 7.9, 8.0, and 8.1** at risk of **remote code execution** and full server takeover. **MetInfo**...
Mirai and .sorry ransomware on compromised cPanel instances
Malware Activity
First: 04.05.2026 22:14
Last: 04.05.2026 22:14
Sources 1
How related:
Some of the attacks deployed Mirai botnet variants, while most vulnerable instances were hit with a ransomware that encrypts and appends files with a ".sorry" extension.
About this happening:
Compromised **cPanel** instances were hit with **Mirai botnet variants** and **.sorry ransomware**, turning rapid post-disclosure exploitation into botnet infection and file-encry...
Mirai and .sorry ransomware on compromised cPanel instances
Malware ActivityHow related: Some of the attacks deployed Mirai botnet variants, while most vulnerable instances were hit with a ransomware that encrypts and appends files with a ".sorry" extension.
About this happening: Compromised **cPanel** instances were hit with **Mirai botnet variants** and **.sorry ransomware**, turning rapid post-disclosure exploitation into botnet infection and file-encry...
Timeline
-
04.05.2026 11:25 2 articles · 23d ago
Active CVE-2026-41940 exploitation hits cPanel & WHM servers
Campaign Scope UpdateThreat actors are actively exploiting CVE-2026-41940 against internet-facing cPanel & WHM instances, enabling unauthenticated administrative access that can compromise host systems, configurations, databases, and websites. Defenders observed scanning, exploit, and brute-force activity tied to more than 40,000 likely compromised servers, while cPanel published fixed releases and CISA added the CVE to the KEV catalog.
Show sources
- Over 40,000 Servers Compromised in Ongoing cPanel Exploitation — www.securityweek.com — 04.05.2026 11:25
- cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor — thehackernews.com — 11.05.2026 20:54