Critical Authentication Bypass in cPanel (CVE‑2026‑41940) Threatens Web‑Hosting Providers
What It Is – A remote authentication‑bypass vulnerability (CVE‑2026‑41940) affects cPanel/WHM versions > 11.40, allowing attackers to obtain administrative access without valid credentials. The flaw scores 9.3 (CVSS v3.1) and is listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
Exploitability – Active exploitation has been observed in the wild since February 2026, with ≈ 44 K unique IPs seen probing or exploiting the flaw on public honeypots. Proof‑of‑concept detection artifacts and exploit scripts are publicly available.
Affected Products – cPanel & WHM (all releases after 11.40) – the de‑facto control panel for shared‑hosting, VPS, and dedicated‑server environments.
TPRM Impact –
- Third‑party web‑hosting services that rely on cPanel become a direct attack surface for downstream customers.
- Compromise can lead to unauthorized modification of hosted sites, theft of client data, and potential ransomware deployment on compromised servers.
Recommended Actions –
- Inventory all cPanel/WHM instances across your vendor ecosystem.
- Patch to the latest cPanel release (≥ 11.40 + security patch) no later than the CISA deadline (May 3 2026).
- Deploy the watchTowr Detection Artifact Generator to scan for vulnerable hosts.
- Enforce multi‑factor authentication for all privileged cPanel accounts.
- Monitor for anomalous login activity and indicator‑of‑compromise (IoC) feeds from Shadowserver and CISA.
Source: Security Affairs