Hackers are actively exploiting a bug in cPanel, used by millions of websites

Source: TechCrunch

Overview

Security researchers have identified a critical vulnerability in the widely used web server management software cPanel and WebHost Manager (WHM). The bug allows attackers to bypass authentication and gain full control of servers running the affected software, which is deployed by tens of millions of website owners worldwide.

Affected Versions

The vulnerability impacts all supported versions of cPanel/WHM. The issue is tracked as CVE‑2026‑41940.

How the Bug Works

• The flaw enables remote attackers to bypass the login screen.
• Once inside, they obtain unrestricted access to the administration panel, including server configurations, email accounts, databases, and website files.

Potential Impact

Given the ubiquity of cPanel/WHM across the web‑hosting industry, unpatched installations could allow attackers to compromise large numbers of websites, especially those on shared‑hosting environments.

Official Advisories

• Canadian Centre for Cyber Security issued an advisory warning that exploitation is “highly probable” and that immediate remediation is required: AL26‑008 advisory.

Responses from Hosting Providers

• Namecheap blocked access to customers’ cPanel panels pending patches: status update.
• HostGator confirmed that it has patched its systems and labeled the issue a “critical authentication‑bypass exploit”: patch announcement.

Evidence of Exploitation

KnownHost reported attempts to exploit the vulnerability as early as February 23.

• CEO Daniel Pearson noted that roughly 30 servers showed signs of unauthorized access attempts out of thousands on the network: Reddit comment.
• The company briefly blocked access before applying patches: forum post.

cPanel has released a security fix for related tools, such as WP Squared: changelog.

Recommendations

1. Apply the latest security update for cPanel/WHM immediately.
2. Verify that your hosting provider has patched the vulnerability.
3. Monitor logs for suspicious login attempts or unauthorized access.
4. Consider additional hardening measures (e.g., two‑factor authentication, IP restrictions).

References

• CVE‑2026‑41940 details: https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026
• Canadian advisory: https://www.cyber.gc.ca/en/alerts-advisories/al26-008-vulnerability-affecting-cpanel-webhost-manager-whm-cve-2026-41940
• Namecheap status update: https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026/
• HostGator patch announcement: https://www.hostgator.com/help/article/centos6-cpanel-vulnerability
• KnownHost Reddit comment: https://www.reddit.com/r/cpanel/comments/1syyajp/comment/oiz12pp/?utm_source=BC
• KnownHost forum discussion: https://www.knownhost.com/forums/threads/cpanel-zero-day-exploit-network-wide-protections-in-place-for-cpanel-and-whm-logins-ports.6599/
• WP Squared changelog: https://docs.wpsquared.com/changelogs/versions/changelog/#cpanel-related-changes