A critical authentication bypass flaw in cPanel software products has come under heavy exploitation from a variety of threat actors shortly after public disclosure, putting millions of websites at risk via tens of thousands of compromised instances.
On April 28, the software vendor, which specializes in Web hosting control-panel software, issued a security update to address a vulnerability affecting all supported versions of cPanel, WebHost Manager (WHM), and WP Squared products. On April 29, the flaw was identified as CVE-2026-41940 and assigned a critical CVSS score of 9.8.
On the same day, WatchTowr Labs published a proof-of-concept (PoC) exploit and a technical analysis of the vulnerability, which researchers described as a “disaster” flaw that allows attackers to gain administrative access and take over servers and hosted websites.
The plot thickened considerably when KnownHost, which offers managed cPanel hosting, flagged CVE-2026-41940 as a zero-day vulnerability, with approximately 30 servers showing signs of attempted exploitation. In follow-up posts on Reddit, KnownHost CEO Daniel Pearson confirmed the vulnerability had been exploited for “at least for the last 30 days,” with signs of attempts as far back as Feb. 23.
Meanwhile, Internet scanning from Censys showed the cPanel flaw came under attack from multiple threat actors within 24 hours of disclosure, illustrating once again that security teams these days have little time to patch critical flaws before exploitation begins.
Fast Exploitation for CVE-2026-41940
Censys said its scans revealed approximately 15,000 potentially compromised instances within the first 24 hours following disclosure. Some of the attacks deployed Mirai botnet variants, while most vulnerable instances were hit with a ransomware that encrypts and appends files with a “.sorry” extension.
One victim, Yousef Alsahijan, confirmed his server was hit with both botnet malware and the “sorry” ransomware in what he described as a “highly organized, multistage operation” rather than a random, opportunistic attack. “The entire attack chain from initial access to full encryption happened within minutes,” Alsahijan wrote on LinkedIn. “No credentials were needed. 2FA [two-factor authentication] did not help.”
The exploitation activity has increased in recent days, according to Simo Kohonen, founder and CEO of cybersecurity vendor Defused. “We’ve seen almost 1,000 exploit attempts since the vulnerability dropped with wide geographical and ASN variance,” Kohonen tells Dark Reading. “Given that our honeypots represent a small surface area of the 800k+ cPanel instances indexing sites like Shodan lists, it’s safe to say exploitation is extremely heavy at the moment.”
Experts say several factors contributed to the rapid exploitation of CVE-2026-41940. Sıla Özeren Hacıoğlu, associate security research engineer at Picus Security, says, for starters, the vulnerability was known to at least some attackers prior to disclosure. “KnownHost confirmed in-the-wild exploitation was ongoing against the cPanel/WHM management plane, so attackers weren’t starting from scratch on disclosure day,” she says. “They were already tooled up.”
Furthermore, Hacıoğlu notes that the differences between vulnerable versions and cPanel’s patches were “quite small and pointed,” amounting to just three files with some key changes that become obvious during patch diffing. “That kind of surgical patch is essentially a road map [for attackers],” she says. “Once the WatchTowr write-up landed with the full chain explained, weaponization for anyone who hadn’t already figured it out was a short hop.”
Kohonen says a large portion of the exploitation activity observed by Defused has copied WatchTowr’s PoC exploit exactly, thus “the initial wave of activity was quite likely driven by it.” But he notes other PoC exploits dropped around the same time and have shown up in Defused honeypots, including one called “cPanel Sniper.”
Other issues contributed to the wave of attacks against the authentication bypass flaw. Hacıoğlu says cPanel’s initial advisory was “notably terse,” and merely described the flaw as “an issue with session loading and saving.” Such descriptions don’t slow down attackers, she says, because they can patch diff, but they can slow down defenders that are trying to assess risk and prioritize patching.
“Add to that the fact that the vulnerability hits all currently supported versions, runs on a management interface typically exposed on port 2087, and lands on infrastructure powering around 70 million domains, and you have an unusually large, uniform, reachable attack surface,” she says.
Time is Not on Defenders’ Side
CVE-2026-41940 is the latest example of a critical vulnerability that came under heavy exploitation in a matter of hours, rather than days or weeks. Hacıoğlu says this is part of a larger, consistent trend where security teams have about a 24- to 48-hour window to patch critical bugs in widely-deployed edge or management software before attacks begin.
“Patch diffing has been industrialized, with mature toolchains for binary and source diffing, and several research groups now publish detailed technical breakdowns within days,” she says. “Mass scanning infrastructure is also cheap and ambient now, so once a working PoC exists, untargeted exploitation across the entire IPv4 space is a matter of hours.”
Additionally, Hacıoğlu says edge devices and management panels have been attractive targets for threat actors in the past because they’re internet-facing products with typically large install bases, and “patching cycles in shared hosting and enterprise environments are often slow.”
But organizations can’t afford to be slow with CVE-2026-41940, given the widespread attacks and types of threats converging on the flaw. In a blog post on Friday, Hacıoğlu warned that the vulnerability was wormable, and that “mass scripted exploitation against the ~1.5M exposed instances is feasible.”
Picus Security urged customers to upgrade to fixed versions immediately and to rotate credentials, including root-level account and WHM reseller passwords, API tokens, and SSH keys stored in WHM-managed accounts. Additionally, security teams should purge cPanel sessions and hunt for signs of persistence, such as custom WHM hooks.
Lastly, if organizations cannot immediately patch their cPanel software, Picus Security recommends blocking inbound traffic to inbound TCP/2083, TCP/2087, TCP/2095, TCP/2096, which Hacıoğlu noted was what several major hosting providers have done for a temporary mitigation.
Don’t miss the latest Dark Reading Confidential podcast, NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later, for a candid conversation with Chris Inglis, head civilian in charge of the NSA during the Edward Snowden affair. Inglis reflects what the NSA should have done better, what he wants CISOs to know about protecting against their own insider threats, and what his reaction would be if Snowden received a pardon. Listen now!
