Greater than 40,000 servers have doubtless been compromised as attackers ramp up exploitation of a just lately patched cPanel zero-day.
As a part of the continuing marketing campaign, non-profit group The Shadowserver Basis says menace actors are exploiting CVE-2026-41940, a important authentication-bypass vulnerability in cPanel & WebHost Supervisor (WHM), a server and web site administration platform.
Disclosed on April 28, the security defect gives unauthenticated attackers with administrative entry to cPanel, permitting them to take over the host system and compromise all configurations, databases, and web sites the platform manages.
The problem will be exploited through particular characters in authorization headers to jot down parameters to a session file, then set off a reload of the session file to authenticate utilizing the injected administrative credentials.
CVE-2026-41940 was doubtless exploited as a zero-day since late February, with exercise spiking after the general public disclosure and after the menace intelligence agency WatchTowr printed technical particulars.
Final week, Rapid7 warned that there have been roughly 1.5 million cPanel cases accessible from the web, and on Friday The Shadowserver Basis was seeing tens of hundreds of probably compromised programs.
“44K distinctive IP quantity is predicated on cPanel spike of units seen scanning/working exploits/brute pressure assaults towards our honeypot sensors,” the group mentioned.
As of Might 3, that quantity has dropped considerably, knowledge from The Shadowserver Basis reveals. A lot of the affected programs are within the US, with France and the Netherlands rounding up the highest three.
With all cPanel variations after 11.40 susceptible, customers are suggested to replace to a patch launch as quickly as doable and to comply with cPanel’s directions on figuring out and addressing potential compromises.
cPanel & WHM variations 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5, and WP Squared model 136.1.7 include the fixes, cPanel’s up to date advisory reveals.
The US cybersecurity company CISA added CVE-2026-41940 to its Identified Exploited Vulnerabilities (KEV) catalog on Thursday, urging federal businesses to patch it inside 4 days.
