Critical Remote Code Execution Vulnerability in WHM/cPanel and WP Squared (CVE‑2026‑41940) Actively Exploited
What Happened — A remote code execution (RCE) flaw (CVE‑2026‑41940) in WHM, cPanel and WP Squared allows unauthenticated attackers to bypass authentication, gain full WHM API access and execute arbitrary commands as root. The vulnerability has been listed in CISA’s KEV catalog and is being actively weaponized, with threat actors deploying ransomware, botnets and credential‑harvesting tools.
Why It Matters for TPRM —
- The flaw affects widely‑used hosting control panels, exposing any third‑party service that relies on them.
- Exploitation can lead to ransomware infection, data loss, and compromise of downstream customer environments.
- Early exploitation (Feb 2026) predates the vendor patch, highlighting the need for rapid patch management and monitoring.
Who Is Affected — Web‑hosting providers, SaaS platforms, managed service providers, government agencies and enterprises that host applications on cPanel/WHM or use WP Squared.
Recommended Actions —
- Verify that all WHM/cPanel and WP Squared instances are patched to the versions listed in the advisory.
- Conduct active scanning for the vulnerable versions and for signs of exploitation (unexpected WHM API calls, Go‑based encryptors).
- Review third‑party contracts for hosting services and enforce patch‑as‑a‑service clauses.
Technical Notes — The attack vector is a series of crafted HTTP requests that trigger a flaw in the WHM API, leading to root‑level code execution without credentials. Exploitation has been observed delivering the “Sorry” ransomware encryptor, Mirai botnet implants, and credential‑harvesting modules. Source: CIS Advisories