Find notable cyber news and cases, enriched with sources, timelines, and signals.

CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)

Exploitation Wave
First reported
Last updated
Happening score
H score 89
2 unique sources, 2 articles

Summary

Hide ▲

Active exploitation of CVE-2026-41940 is driving a large cPanel & WHM compromise wave, putting exposed servers at risk of administrative takeover. More than 40,000 servers have likely been compromised, showing that the attack has moved well beyond isolated probing. The flaw can hand unauthenticated attackers admin access, letting them control managed sites, databases, and configurations.

Cases

Related Happenings

Magento exploitation wave for CVE-2026-45247

Exploitation Wave
H score9 First: 04.06.2026 10:19 Last: 04.06.2026 10:19 Sources 1

About this happening: Active exploitation of **CVE-2026-45247** is hitting **Mirasvit Cache Warmer** on **Magento** stores, with malicious requests carrying serialized PHP payloads that can lead to **r...

HTTP/2 servers HPACK flow-control DoS denial-of-service flaw (CVE-2026-49975)

Vulnerability
H score26 First: 03.06.2026 22:08 Last: 03.06.2026 22:08 Sources 1

About this happening: **HTTP/2 servers** were found vulnerable to the **HTTP/2 Bomb** DoS weakness, where **HPACK compression amplification** plus **HTTP/2 flow-control stalling** lets a single client...

OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)

Exploitation Wave
H score46 First: 17.05.2026 14:57 Last: 17.05.2026 14:57 Sources 1

About this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...

Filemanager backdoor delivered on compromised cPanel environments

Malware Activity
H score33 First: 11.05.2026 20:54 Last: 11.05.2026 20:54 Sources 1

How related: In the infection sequence analyzed by XLab, Filemanager is delivered via a shell script downloaded from the "wpsock[.]com" domain. The backdoor supports file management, remote command execution, and shell functionality.

About this happening: The **Filemanager** backdoor is being deployed on **compromised cPanel/WHM systems**, giving attackers **remote command execution** and shell access. It is delivered through a **s...

CPanel security patch release for CVE-2026-29201

Security Patch Release
H score34 First: 09.05.2026 10:16 Last: 09.05.2026 10:16 Sources 1

About this happening: **cPanel** released updates for **cPanel and Web Host Manager (WHM)** to fix **three vulnerabilities** that could enable **privilege escalation**, **code execution**, or **denial-...

Timeline

  1. 04.05.2026 11:25 2 articles · 2mo ago

    Active CVE-2026-41940 exploitation hits cPanel & WHM servers

    Campaign Scope Update

    Threat actors are actively exploiting CVE-2026-41940 against internet-facing cPanel & WHM instances, enabling unauthenticated administrative access that can compromise host systems, configurations, databases, and websites. Defenders observed scanning, exploit, and brute-force activity tied to more than 40,000 likely compromised servers, while cPanel published fixed releases and CISA added the CVE to the KEV catalog.

    Show sources