Over 40,000 Servers Compromised in Ongoing cPanel Exploitation
A critical authentication-bypass vulnerability (CVE-2026-41940) in cPanel & WebHost Manager (WHM) has been actively exploited, resulting in over 40,000 servers being compromised. The flaw allows unauthenticated attackers to gain administrative access by manipulating authorization headers to inject credentials into session files. This vulnerability was exploited as a zero-day since late February 2026 and was publicly disclosed on April 28, 2026. The majority of affected systems are in the US, with France and the Netherlands also impacted. cPanel has released patches in multiple versions to address this issue. The US cybersecurity agency CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog and urges rapid patching. Users are advised to update to patched versions and follow cPanel's guidance to identify and remediate compromises.
AI Analysis
Technical Summary
CVE-2026-41940 is a critical authentication bypass vulnerability in cPanel & WHM that enables unauthenticated attackers to gain administrative access by exploiting special characters in authorization headers to write and reload session files with injected credentials. This zero-day vulnerability was exploited in the wild since at least February 2026, leading to widespread compromise of over 40,000 servers globally, predominantly in the US, France, and the Netherlands. The vulnerability affects all cPanel versions after 11.40. Patches have been released in several versions including 11.86.0.41 and later. The US CISA has included this vulnerability in its KEV catalog, recommending patching within four days. The Shadowserver Foundation and other threat intelligence entities have observed significant exploitation activity, which has recently declined following public disclosure and patch availability.
Potential Impact
Successful exploitation of CVE-2026-41940 grants unauthenticated attackers administrative access to cPanel & WHM servers, allowing full control over host systems, configurations, databases, and hosted websites. This leads to complete system compromise, data breaches, and potential further malicious activity on affected servers. Over 40,000 servers have been compromised, indicating widespread impact. The vulnerability was actively exploited as a zero-day prior to patch release, increasing risk to unpatched systems.
Mitigation Recommendations
A patch addressing CVE-2026-41940 is available in multiple cPanel & WHM versions including 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5, as well as WP Squared version 136.1.7. Users should update to these patched versions immediately. cPanel provides instructions for identifying and remediating potential compromises, which should be followed. The US CISA recommends patching within four days. No vendor advisory indicates that no action is required; therefore, prompt patching and compromise assessment are essential.
Affected Countries
United States, France, Netherlands
Over 40,000 Servers Compromised in Ongoing cPanel Exploitation
Description
A critical authentication-bypass vulnerability (CVE-2026-41940) in cPanel & WebHost Manager (WHM) has been actively exploited, resulting in over 40,000 servers being compromised. The flaw allows unauthenticated attackers to gain administrative access by manipulating authorization headers to inject credentials into session files. This vulnerability was exploited as a zero-day since late February 2026 and was publicly disclosed on April 28, 2026. The majority of affected systems are in the US, with France and the Netherlands also impacted. cPanel has released patches in multiple versions to address this issue. The US cybersecurity agency CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog and urges rapid patching. Users are advised to update to patched versions and follow cPanel's guidance to identify and remediate compromises.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-41940 is a critical authentication bypass vulnerability in cPanel & WHM that enables unauthenticated attackers to gain administrative access by exploiting special characters in authorization headers to write and reload session files with injected credentials. This zero-day vulnerability was exploited in the wild since at least February 2026, leading to widespread compromise of over 40,000 servers globally, predominantly in the US, France, and the Netherlands. The vulnerability affects all cPanel versions after 11.40. Patches have been released in several versions including 11.86.0.41 and later. The US CISA has included this vulnerability in its KEV catalog, recommending patching within four days. The Shadowserver Foundation and other threat intelligence entities have observed significant exploitation activity, which has recently declined following public disclosure and patch availability.
Potential Impact
Successful exploitation of CVE-2026-41940 grants unauthenticated attackers administrative access to cPanel & WHM servers, allowing full control over host systems, configurations, databases, and hosted websites. This leads to complete system compromise, data breaches, and potential further malicious activity on affected servers. Over 40,000 servers have been compromised, indicating widespread impact. The vulnerability was actively exploited as a zero-day prior to patch release, increasing risk to unpatched systems.
Mitigation Recommendations
A patch addressing CVE-2026-41940 is available in multiple cPanel & WHM versions including 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5, as well as WP Squared version 136.1.7. Users should update to these patched versions immediately. cPanel provides instructions for identifying and remediating potential compromises, which should be followed. The US CISA recommends patching within four days. No vendor advisory indicates that no action is required; therefore, prompt patching and compromise assessment are essential.
Affected Countries
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/over-40000-servers-compromised-in-ongoing-cpanel-exploitation/","fetched":true,"fetchedAt":"2026-05-04T08:36:22.332Z","wordCount":975}
Threat ID: 69f85a86cbff5d8610f0eb7a
Added to database: 5/4/2026, 8:36:22 AM
Last enriched: 5/4/2026, 8:36:32 AM
Last updated: 5/5/2026, 5:51:01 AM
Views: 30
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.