A critical authentication bypass in cPanel, WHM, and WP Squared β€” tracked as CVE-2026-41940 and rated CVSS 9.8 β€” is under active exploitation in the wild, with attackers using it to seize control of web hosting servers and deploy ransomware. Because cPanel sits beneath a vast share of the world’s shared hosting, the blast radius is enormous: a naive Shodan query returns roughly 1.5 million internet-exposed cPanel instances that may be vulnerable.

This is not a theoretical patch-Tuesday item. CISA has flagged the flaw as actively exploited, a proof-of-concept is public, and threat actors are already converting access into encryption.

What the bug does

CVE-2026-41940 lives in the login flow of cPanel and WHM. It allows an unauthenticated, remote attacker to bypass authentication entirely and gain administrative access to the control panel β€” no credentials, no user interaction. From there, the attacker controls the host system, its configuration and databases, and every website the server manages. On a shared host, that can mean hundreds or thousands of sites compromised from a single break-in.

The vulnerability affects cPanel & WHM versions after the long-standing 11.40 baseline, which covers the overwhelming majority of deployed systems.

Exploited as a zero-day for two months

The timeline is the ugly part. Threat actors began exploiting CVE-2026-41940 as early as February 23, 2026 β€” roughly two months before cPanel shipped its emergency patch on April 28, 2026. That means a large population of servers was being silently breached well before any fix or advisory existed. Following public disclosure, exploitation escalated rather than tapered, as opportunistic actors picked up the now-public technique.

The most damaging post-exploitation activity observed so far is the deployment of a Go-based Linux encryptor tied to the β€œSorry” ransomware campaign. Attackers bypass authentication, establish control of the cPanel host, and then encrypt the server and the sites it hosts β€” a clean path from unauthenticated request to full extortion.

Who is exposed

The risk concentrates on self-managed, on-premise deployments of cPanel & WHM and WP Squared β€” small hosting providers, agencies, resellers, and businesses running their own servers. These are precisely the operators least likely to patch on an emergency timeline and most likely to be running exposed management interfaces. With around 1.5 million instances reachable from the internet, the exposed surface dwarfs most enterprise-only vulnerabilities.

What to do now

  • Patch immediately. Upgrade to a fixed cPanel & WHM / WP Squared release on an emergency basis. This is the only durable remediation.
  • Assume breach if you patched late. Given exploitation since February and escalation after disclosure, a server that was exposed and unpatched for any meaningful window should be treated as potentially compromised.
  • Hunt for the β€œSorry” encryptor and unexpected Go binaries, plus new admin accounts, cron jobs, or web shells dropped via the control panel.
  • Restrict access to WHM/cPanel management interfaces β€” IP allowlisting and VPN-only access dramatically shrink the attack surface for the next bug, too.
  • Review backups and confirm they are offline/immutable before you need them. Ransomware that reaches a hosting control plane often reaches the backups stored alongside it.

The takeaway

An unauthenticated CVSS 9.8 auth bypass in software running on a million-plus internet-facing servers is close to a worst-case combination, and the two-month zero-day window means the patch is necessary but not sufficient. If you run cPanel, WHM, or WP Squared on your own infrastructure, patching today is the floor β€” verifying you weren’t already hit is the actual work.

Sources