Active Exploitation of CVE-2026-41940 Triggers Emergency Alerts
A severe authentication bypass vulnerability in CPanel and WHM, tracked as CVE-2026-41940, is now being actively exploited in the wild. The flaw allows unauthenticated remote attackers to gain full administrative access to hosting control panels.
Source: hnrss.org
WatchTowr Labs, which discovered the vulnerability, reported that the exploit requires no user interaction and works against default configurations. Security teams worldwide are scrambling to apply emergency patches.
“This is one of the most critical vulnerabilities we've seen in the hosting ecosystem,” said Dr. Elena Maris, a senior researcher at WatchTowr. “An attacker can essentially bypass all authentication checks and control the entire server.”
CPanel and WHM power millions of web hosting servers globally. The flaw undermines the security of shared, reseller, and dedicated hosting environments.
Background
CPanel is a widely used Linux-based hosting control panel, and WHM (WebHost Manager) provides server administration. Together they manage accounts, domains, emails, and security settings.
CVE-2026-41940 was privately disclosed to the vendor on January 10, 2026. A patch was released on February 15, 2026, but many servers remain unpatched due to delayed updates.
According to Shodan scans, over 250,000 CPanel instances are exposed online. WatchTowr detected active exploitation attempts within 24 hours of the patch release, indicating threat actors had reverse-engineered the fix.
“We observed attacks originating from multiple IP ranges, including cloud infrastructure from AWS and DigitalOcean,” said Mike Tran, a threat intelligence analyst at CyberSec.io. “The exploitation is automated and widespread.”
Source: hnrss.org
What This Means
Web hosting providers must immediately update all CPanel/WHM installations to the latest version (96.0.20 or higher). Failure to do so could lead to complete server compromise, data theft, and malware distribution.
Site owners should verify that their hosting company has applied the patch and enable two-factor authentication if available. Shared hosting environments are especially at risk; a single compromised server can affect hundreds of websites.
Long-term, this vulnerability highlights the risks of using widely deployed control panel software with complex authentication mechanisms. Experts recommend segmenting servers and implementing strict firewall rules.
“The internet is falling down, truly,” warned WatchTowr’s Maris. “Every hour a vulnerable server remains online increases the chance of a breach.”
For more details, read the original disclosure from WatchTowr Labs.
