More than 40,000 servers have likely been compromised as attackers ramp up exploitation of a recently patched cPanel zero-day.
As part of the ongoing campaign, non-profit organization The Shadowserver Foundation says threat actors are exploiting CVE-2026-41940, a critical authentication-bypass vulnerability in cPanel & WebHost Manager (WHM), a server and site management platform.
Disclosed on April 28, the security defect provides unauthenticated attackers with administrative access to cPanel, allowing them to take over the host system and compromise all configurations, databases, and websites the platform manages.
The issue can be exploited via special characters in authorization headers to write parameters to a session file, then trigger a reload of the session file to authenticate using the injected administrative credentials.
CVE-2026-41940 was likely exploited as a zero-day since late February, with activity spiking after the public disclosure and after the threat intelligence firm WatchTowr published technical details.
Last week, Rapid7 warned that there were roughly 1.5 million cPanel instances accessible from the internet, and on Friday The Shadowserver Foundation was seeing tens of thousands of potentially compromised systems.
“44K unique IP number is based on cPanel spike of devices seen scanning/running exploits/brute force attacks against our honeypot sensors,” the organization said.
As of May 3, that number has dropped significantly, data from The Shadowserver Foundation shows. Most of the affected systems are in the US, with France and the Netherlands rounding up the top three.
With all cPanel versions after 11.40 vulnerable, users are advised to update to a patch release as soon as possible and to follow cPanel’s instructions on identifying and addressing potential compromises.
cPanel & WHM versions 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5, and WP Squared version 136.1.7 contain the fixes, cPanel’s updated advisory shows.
The US cybersecurity agency CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog on Thursday, urging federal agencies to patch it within four days.
Related: Fresh LiteLLM Vulnerability Exploited Shortly After Disclosure
Related: Robinhood Vulnerability Exploited for Phishing Attacks
Related: Recent Microsoft Defender Vulnerability Exploited as Zero-Day
Related: Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access
