First reports come in of victims of critical cPanel vuln as 'millions' of sites potentially exposed

Summary

A critical vulnerability, CVE-2026-41940, has been identified in cPanel and WebHost Manager (WHM), allowing for full server takeover. The flaw is actively being exploited in the wild and has been added to the CISA Known Exploited Vulnerabilities catalog.

Key Points

• CVE-2026-41940 carries a CVSS score of 9.8.
• Affected software includes all supported versions of cPanel and WebHost Manager (WHM) released after version 11.40, as well as the WP Squared WordPress management layer.
• Exploitation was documented as occurring prior to the release of official patches.
• Approximately 1.5 million internet-exposed cPanel instances have been identified via Shodan.
• Successful exploits have been linked to ransomware deployment and complete system compromise.

Technical Details

CVE-2026-41940 is a high-severity vulnerability affecting the cPanel/WHM hosting stack, including the WP Squared management layer. A successful exploit provides an attacker with full control over the underlying server. The vulnerability was utilized as a zero-scale exploit, with execution attempts observed as early as February 23, 2026, preceding the patch release. While the specific exploit vector—such as a specific API endpoint or file upload mechanism—is not explicitly detailed, the CVSS 9.8 rating and the observed impact on hosting providers confirm its critical nature.

Impact / Why It Matters

Administrators of cPanel-based environments must immediately apply patches to prevent unauthorized access and ransomware attacks. Systems that remain unpatched are at high risk of complete compromise due to active, widespread exploitation.