Security Bulletin: Critical cPanel Vulnerability Actively Exploited

Vulnerability: CVE-2026-41940

Description of the vulnerability:

A critical authentication bypass vulnerability has been identified in cPanel & WHM. This vulnerability allows a remote, unauthenticated attacker to gain administrative access to affected systems without valid credentials.

Successful exploitation provides attackers with full control over the hosting environment, including access to web applications, databases, email services, DNS configurations, and user accounts. This level of access can be leveraged to execute arbitrary commands, deploy malware or ransomware, exfiltrate sensitive data, or pivot further into internal systems.

Security researchers have confirmed that this vulnerability is being actively exploited in the wild, with indications that exploitation may have begun prior to public disclosure. Given the widespread use of cPanel across hosting providers, MSPs, and enterprise environments, this vulnerability presents a significant risk to internet-facing infrastructure.

Severity:

This vulnerability is categorized as Critical, with a CVSS score of 9.8.

Active exploitation has been observed, and the vulnerability is particularly dangerous due to the high number of exposed cPanel instances on the internet. Systems with publicly accessible management interfaces are at elevated risk.

Software affected:

cPanel & WHM (multiple versions prior to the latest patched releases)
Internet-facing hosting environments utilizing cPanel

Mitigation:

The recommended action for this vulnerability is to immediately apply the latest security updates provided by cPanel.

Additional recommended actions include:

Restrict access to cPanel/WHM interfaces to trusted IP addresses
Enforce multi-factor authentication (MFA) for all administrative access
Review and limit internet exposure of management interfaces
Validate logging and monitoring are enabled for administrative activity
Conduct a review of all externally accessible systems for similar exposure

If patching cannot be immediately performed, organizations should consider temporarily disabling or restricting access to cPanel services until remediation can be completed.

Related Reading:

NIST CVE-2026-41940, https://nvd.nist.gov/vuln/detail/CVE-2026-41940

CISA, https://www.cisa.gov/news-events/alerts/2026/04/30/cisa-adds-one-known-exploited-vulnerability-catalog

cPanel, https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026

How Sedara Can Help

Our Security Operations Center provides 24x7x365 monitoring and response, delivering visibility across your environment to identify threats as they emerge.

With Sedara’s Attack Surface Management capabilities, we help organizations uncover exposed systems, validate control coverage, and prioritize remediation efforts across internal and external environments.

By unifying data from your existing security tools, we enable your team to quickly identify gaps, reduce risk, and take decisive action before attackers do.