In a concerning development, over 40,000 servers have potentially fallen victim to a targeted cPanel exploit. This surge in attacks follows the discovery of a critical vulnerability, identified as CVE-2026-41940, within the popular server management software cPanel & WebHost Manager (WHM).
Details of the cPanel Vulnerability
The Shadowserver Foundation, a non-profit cybersecurity organization, has reported that malicious actors are actively leveraging this vulnerability. CVE-2026-41940 is an authentication-bypass flaw allowing attackers to gain administrative control over cPanel systems. This security gap, unveiled on April 28, can be manipulated by injecting specific characters into authorization headers, which can then be used to write parameters to a session file, ultimately leading to unauthorized access.
The vulnerability was reportedly exploited as a zero-day as early as late February. The situation worsened after details were publicly disclosed, and further technical insights were shared by the threat intelligence firm WatchTowr.
Global Impact and Response
Rapid7, a cybersecurity company, highlighted that there are about 1.5 million cPanel servers exposed to the internet. As of last week, The Shadowserver Foundation observed tens of thousands of systems potentially compromised. Initially, 44,000 unique IPs were detected performing scans and attacks, though recent data shows a decline in these figures.
The majority of these compromised systems have been located in the United States, with France and the Netherlands also significantly affected. The urgency of the situation has prompted calls for immediate action to mitigate the risk.
Mitigation and Future Outlook
All cPanel versions post-11.40 are susceptible to this exploit. Users are strongly advised to apply the latest patches and adhere to cPanel’s guidance on identifying and resolving potential breaches. The updated advisory from cPanel indicates that versions 11.86.0.41 through 11.136.0.5, along with WP Squared version 136.1.7, include necessary security fixes.
The US Cybersecurity and Infrastructure Security Agency (CISA) has also responded by adding CVE-2026-41940 to its Known Exploited Vulnerabilities catalog, urging federal entities to address this vulnerability within a four-day timeframe.
In conclusion, this cPanel exploit underscores the ongoing threats faced by server infrastructures worldwide. As organizations work to fortify their defenses, the situation highlights the critical importance of timely patching and vigilant cybersecurity practices.
