First reports come in of victims of critical cPanel vuln as 'millions' of sites potentially exposed
(2026/05/01)
- Reference: 1777641015
- News link: https://www.theregister.co.uk/2026/05/01/critical_cpanel_vuln_hits_cisa/
- Source link:
CISA has added a critical cPanel bug to its known-exploited list, confirming that attackers are already poking holes in one of the internet's most widely used hosting stacks.
The vulnerability, tracked as [1]CVE-2026-41940 , carries a near-worst-case CVSS score of 9.8 and affects all supported versions of cPanel and Web[Host Manager (WHM) released after version 11.40, along with WP Squared, a WordPress management layer built on top of the same platform.
In plain terms, a successful exploit can hand over full control of the server.
[2]
The US government's cybersecurity agency [3]added the flaw to its Known Exploited Vulnerabilities catalog on Thursday , confirming attackers are not waiting around. By the time cPanel shipped a [4]patch on Tuesday, exploitation was already underway.
[5]
[6]
Hosting provider KnownHost has been more explicit about what that looked like in practice, warning customers it had seen successful exploitation attempts before any fix was available. In a [7]Reddit post , the company's CEO, Daniel Pearson, said the provider had "seen execution attempts as early as 2/23/2026" and urged users to restrict access and assume systems could already be compromised if left unpatched.
Another hosting provider, Namecheap, [8]says it temporarily blocked access to cPanel and WHM , effectively slamming the door shut until fixes were ready. It has since begun rolling out updates.
[9]
There are also early signs of what those attackers are up to once they get in. A small business owner posting on Reddit said their company had been hit by ransomware after running what they described as a fairly standard cPanel setup, adding that their hosting provider appeared to be struggling under the weight of the incident. The attackers, they said, demanded $7,000 to unlock systems.
[10]Bug of the year (so far): Nasty cPanel vulnerability probably exploited as a 0-day
[11]How to host a Linux-powered local dev site in Windows
[12]Crooks stole AWS credentials from misconfigured sites then kept them in open S3 bucket
[13]GoDaddy joins the dots and realizes it's been under attack for three years
The claim is anecdotal, but if it holds up, it suggests this bug is already being used by criminals to lock up systems, not just lurk quietly or skim data in the background.
It's not yet known how many organizations have been impacted by the vulnerability, but security firm [14]Rapid7 used Shodan to identify roughly 1.5 million internet-exposed cPanel instances.
cPanel underpins hosting for tens of millions of sites, many run by small outfits that rely on providers to handle security. For them, "patch now" often means "wait and hope," which is not a great place to be when a near-max severity bug is already being weaponized. ®
Get our [15]Tech Resources
[1] https://nvd.nist.gov/vuln/detail/CVE-2026-41940
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2afTOJ9BKtlF9zqqu8W5DoQAAABg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.cisa.gov/news-events/alerts/2026/04/30/cisa-adds-one-known-exploited-vulnerability-catalog
[4] https://www.theregister.com/2026/04/30/cpanel_whn_cves/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44afTOJ9BKtlF9zqqu8W5DoQAAABg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33afTOJ9BKtlF9zqqu8W5DoQAAABg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.reddit.com/r/cpanel/comments/1syyajp/comment/oiz12pp/?utm_source=BC
[8] https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44afTOJ9BKtlF9zqqu8W5DoQAAABg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2026/04/30/cpanel_whn_cves/
[11] https://www.theregister.com/2025/07/23/linux_dev_site_windows/
[12] https://www.theregister.com/2024/12/09/aws_credentials_stolen/
[13] https://www.theregister.com/2023/02/20/in_brief_security/
[14] https://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass/
[15] https://whitepapers.theregister.com/
The vulnerability, tracked as [1]CVE-2026-41940 , carries a near-worst-case CVSS score of 9.8 and affects all supported versions of cPanel and Web[Host Manager (WHM) released after version 11.40, along with WP Squared, a WordPress management layer built on top of the same platform.
In plain terms, a successful exploit can hand over full control of the server.
[2]
The US government's cybersecurity agency [3]added the flaw to its Known Exploited Vulnerabilities catalog on Thursday , confirming attackers are not waiting around. By the time cPanel shipped a [4]patch on Tuesday, exploitation was already underway.
[5]
[6]
Hosting provider KnownHost has been more explicit about what that looked like in practice, warning customers it had seen successful exploitation attempts before any fix was available. In a [7]Reddit post , the company's CEO, Daniel Pearson, said the provider had "seen execution attempts as early as 2/23/2026" and urged users to restrict access and assume systems could already be compromised if left unpatched.
Another hosting provider, Namecheap, [8]says it temporarily blocked access to cPanel and WHM , effectively slamming the door shut until fixes were ready. It has since begun rolling out updates.
[9]
There are also early signs of what those attackers are up to once they get in. A small business owner posting on Reddit said their company had been hit by ransomware after running what they described as a fairly standard cPanel setup, adding that their hosting provider appeared to be struggling under the weight of the incident. The attackers, they said, demanded $7,000 to unlock systems.
[10]Bug of the year (so far): Nasty cPanel vulnerability probably exploited as a 0-day
[11]How to host a Linux-powered local dev site in Windows
[12]Crooks stole AWS credentials from misconfigured sites then kept them in open S3 bucket
[13]GoDaddy joins the dots and realizes it's been under attack for three years
The claim is anecdotal, but if it holds up, it suggests this bug is already being used by criminals to lock up systems, not just lurk quietly or skim data in the background.
It's not yet known how many organizations have been impacted by the vulnerability, but security firm [14]Rapid7 used Shodan to identify roughly 1.5 million internet-exposed cPanel instances.
cPanel underpins hosting for tens of millions of sites, many run by small outfits that rely on providers to handle security. For them, "patch now" often means "wait and hope," which is not a great place to be when a near-max severity bug is already being weaponized. ®
Get our [15]Tech Resources
[1] https://nvd.nist.gov/vuln/detail/CVE-2026-41940
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2afTOJ9BKtlF9zqqu8W5DoQAAABg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.cisa.gov/news-events/alerts/2026/04/30/cisa-adds-one-known-exploited-vulnerability-catalog
[4] https://www.theregister.com/2026/04/30/cpanel_whn_cves/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44afTOJ9BKtlF9zqqu8W5DoQAAABg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33afTOJ9BKtlF9zqqu8W5DoQAAABg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.reddit.com/r/cpanel/comments/1syyajp/comment/oiz12pp/?utm_source=BC
[8] https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44afTOJ9BKtlF9zqqu8W5DoQAAABg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2026/04/30/cpanel_whn_cves/
[11] https://www.theregister.com/2025/07/23/linux_dev_site_windows/
[12] https://www.theregister.com/2024/12/09/aws_credentials_stolen/
[13] https://www.theregister.com/2023/02/20/in_brief_security/
[14] https://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass/
[15] https://whitepapers.theregister.com/
Anonymous Coward
Phew!
Thank goodness my site and email are fully backed up. Looking forward to a little light entertainment with the ransomware demand.
Reposted as AC so as not to spoil the fun.
Dr Paul Taylor
when was the 23rd month of this year?
If people must use this irrational order for giving dates, at least give the name of the month.
Wow, when I checked just now, my low-rent hosting provider had already upgraded to a fixed version. I wasn’t expecting that!