CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical cPanel authentication bypass (CVE-2026-41940) under active mass exploitation

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A critical authentication bypass vulnerability in cPanel, WHM, and WP Squared products (CVE-2026-41940, CVSS 9.8) is being actively exploited at scale within 24 hours of public disclosure and patch release, granting attackers administrative access to tens of thousands of internet-facing servers and millions of hosted websites. Exploitation began shortly after April 28 vendor patch and April 29 CVE assignment, with known in-the-wild activity predating disclosure. Observed attacks include Mirai botnet recruitment, ransomware deployment (files encrypted with ".sorry" extension), and multi-stage operations achieving full server takeover in minutes without requiring credentials or defeating 2FA. Scans indicate approximately 15,000 compromised instances within the first day, with ongoing exploit attempts numbering in the thousands across diverse geographies and ASNs. The flaw targets the cPanel/WHM management plane typically exposed on TCP/2087, affecting all supported versions and powering roughly 70 million domains.

Timeline

  1. 04.05.2026 22:14 1 articles · 2h ago

    cPanel authentication bypass (CVE-2026-41940) exploited at scale hours after disclosure

    On April 28, cPanel released patches for a critical authentication bypass vulnerability affecting all supported versions of cPanel, WHM, and WP Squared, assigning CVE-2026-41940 with a CVSS score of 9.8 on April 29. Within 24 hours of disclosure, threat actors launched widespread exploitation campaigns targeting the cPanel/WHM management plane (typically exposed on TCP/2087), resulting in approximately 15,000 confirmed compromised instances and nearly 1,000 exploit attempts observed across diverse geographies. Attacks included botnet recruitment (e.g., Mirai variants) and ransomware deployment encrypting files with a ".sorry" extension, with victims reporting full server compromise occurring within minutes without requiring credentials or defeating 2FA. Security vendors assess the flaw as wormable and estimate that mass scripted exploitation against approximately 1.5 million exposed instances is feasible, highlighting the urgency for organizations to patch immediately or apply mitigations such as blocking inbound access to TCP/2083, TCP/2087, TCP/2095, and TCP/2096.

    Show sources
    Open in new tab

Information Snippets

  • CVE-2026-41940 is an authentication bypass flaw in cPanel, WebHost Manager (WHM), and WP Squared affecting all supported versions, enabling remote attackers to gain administrative control of servers and hosted websites.

    First reported: 04.05.2026 22:14
    1 source, 1 article
    Show sources

  • The vulnerability was publicly disclosed on April 28 with a security update, assigned CVE-2026-41940 on April 29, and received a CVSS score of 9.8 (Critical).

    First reported: 04.05.2026 22:14
    1 source, 1 article
    Show sources

  • WatchTowr Labs published a proof-of-concept (PoC) exploit and technical analysis on April 29, describing the flaw as a "disaster" security issue allowing direct administrative takeover.

    First reported: 04.05.2026 22:14
    1 source, 1 article
    Show sources

  • KnownHost reported evidence of exploitation dating back to at least February 23, indicating the flaw was likely exploited as a zero-day prior to public disclosure.

    First reported: 04.05.2026 22:14
    1 source, 1 article
    Show sources

  • Censys scanning revealed approximately 15,000 potentially compromised cPanel instances within 24 hours of public disclosure, with attacks originating from multiple threat actors.

    First reported: 04.05.2026 22:14
    1 source, 1 article
    Show sources

  • Observed attack chains included deployment of Mirai botnet variants and ransomware encrypting files with a ".sorry" extension; one victim reported full encryption occurring within minutes without requiring credentials or bypassing 2FA.

    First reported: 04.05.2026 22:14
    1 source, 1 article
    Show sources

  • Defused reported nearly 1,000 exploit attempts since the vulnerability’s public disclosure, spanning wide geographical and ASN distributions, suggesting mass untargeted scanning and exploitation.

    First reported: 04.05.2026 22:14
    1 source, 1 article
    Show sources

  • The flaw is described as wormable, with Picus Security estimating that mass scripted exploitation against approximately 1.5 million exposed instances is feasible.

    First reported: 04.05.2026 22:14
    1 source, 1 article
    Show sources

  • The vulnerable cPanel/WHM management interface is typically exposed on TCP/2087, with additional services on TCP/2083, TCP/2095, and TCP/2096 also implicated in the attack surface.

    First reported: 04.05.2026 22:14
    1 source, 1 article
    Show sources