Solutions
Solutions
All in one solution
Overview
Managed XDR
Keep my IT safe 24/7
24/7 Incident Response
Restore business operations
Integrations
Cyber Insurance
Ensure business continuity
Security Awareness
Improve security culture
Eye Log
12 months of EU-native log retention
Industry
All sectors
Logistics
Manufacturing
Professional services
Healthcare
Partners
Partner Network
For Brokers & Risk Advisors
Lower your clients' cyber risk.
For Managed Service Providers (MSP)
Expand your offer with cybersecurity.
Case studies
Customer protection
Jan de Rijk
Logistics
Avi Medical
Healthcare
KeyTec Netherlands
Manufacturing
Van der Most Transport
Logistics
SHG Groep
Healthcare
Zimmer Group
Manufacturing
KlaassenGroep
Construction
GOED Belgium
Healthcare
Plans
Resources
Resources
Blog
News from the front lines
Resource Library
Guides and brochures
Knowledge Base
Customer login
Free Anti-spoofing Tool
Sign up to get started
NIS2 Resource Hub
The latest news around NIS2
Eye Research
Tech blog and real-world incidents
Trend Report 2026
Insights from 630 cyber investigations
Glossary of Terms
An overview of cybersecurity terms
Learning Hub
Understand the building blocks
Webinars & Events
All digital & live events at a glance
Company
About
News
Careers
Contact
Press
Talk to us
Take a tour
Solutions
Back
Solutions
All in one solution
Managed XDR
24/7 Incident Response
Integrations
Cyber Insurance
Security Awareness
Eye Log
Industry
All sectors
Logistics
Manufacturing
Professional services
Healthcare
Partners
Back
Partner Network
For Brokers & Risk Advisors
For Managed Service Providers (MSP)
Case studies
Back
Customer protection
Jan de Rijk
Avi Medical
KeyTec Netherlands
Van der Most Transport
SHG Groep
Zimmer Group
KlaassenGroep
GOED Belgium
Plans
Resources
Back
Resources
Blog
Resource Library
Knowledge Base
Free Anti-spoofing Tool
NIS2 Resource Hub
Eye Research
Trend Report 2026
Glossary of Terms
Learning Hub
Webinars & Events
Company
About
News
Careers
Contact
Press
Book a demo
Incident Hotline

cPanel: Know if you’re exposed. Act before threat actors do.

A critical cPanel and WHM authentication bypass vulnerability, CVE-2026-41940, is being actively exploited. If you run cPanel, WHM, WP Squared, or host customer websites, you need to verify your exposure, patch status, and signs of compromise now.

Unsure whether your cPanel or WHM servers are exposed or already compromised? Eye Security can help with:

  • cPanel/WHM exposure review
  • confirming patch status
  • reviewing IOCs and signs of compromise
  • assessing persistence or backdoor risk
  • temporary EDR/MDR monitoring options
cPanel CVE-2026-41940: Check exposure, patch status, and compromise risk

cPanel: Know if you’re exposed. Act before threat actors do.

A critical cPanel and WHM authentication bypass vulnerability, CVE-2026-41940, is being actively exploited. If you run cPanel, WHM, WP Squared, or host customer websites, you need to verify your exposure, patch status, and signs of compromise now.

Unsure whether your cPanel or WHM servers are exposed or already compromised? Eye Security can help with:

  • cPanel/WHM exposure review

  • confirming patch status

  • reviewing IOCs and signs of compromise

  • assessing persistence or backdoor risk

  • temporary EDR/MDR monitoring options

Get urgent cPanel support
Book a consultation
cPanel vulnerability

cPanel CVE-2026-41940: Know if you’re exposed. Act before threat actors do.

A critical cPanel and WHM authentication bypass vulnerability, CVE-2026-41940, is being actively exploited. If you run cPanel, WHM, WP Squared, or host customer websites, you need to verify your exposure, patch status, and signs of compromise now.

Unsure whether your cPanel or WHM servers are exposed or already compromised? Eye Security can help with a cPanel/WHM exposure review, confirming patch status, reviewing IOCs and signs of compromise, assessing persistence or backdoor risk, and temporary EDR/MDR monitoring options.

 

Get urgent cPanel support
Book a consultation
cPanel vulnerability

NCSC-NL advises organisations to install the available updates as soon as possible.

Contact your IT provider if you are unsure whether you are using a vulnerable version

checkmark 1
CVE: CVE-2026-41940
checkmark 2
Affected products: cPanel, WHM, WP Squared
checkmark 6
Priority: Patch now, then check for persistence or backdoors

 

checkmark 4
NCSC-NL rating: High likelihood / high impact

 

checkmark 5
Status: Actively exploited in the wild

 

check mark 3
Risk: Authentication bypass leading to WHM access with root privileges

If you run cPanel or WHM, take these steps.

Asset 3
Check if cPanel/WHM is exposed to the internet
Exposed management interfaces increase risk, especially for hosting and MSP environments.
Asset 2
Confirm version and patch status
Make sure your cPanel, WHM, or WP Squared installation is updated to a fixed version.
Asset 5
Assume patching may not remove persistence

If threat actors accessed the environment before patching, they may have planted backdoors.

Asset 4
Review logs and IOCs
Look for suspicious authentication activity, unexpected WHM access, unusual process execution, newly created users, changed configuration, or unexplained website modifications.
Asset 7
Monitor continuously after remediation

Watch for delayed activation of web shells, credential use, new admin activity, or suspicious outbound traffic.

Asset 3
Check if cPanel/WHM is exposed to the internet
Exposed management interfaces increase risk, especially for hosting and MSP environments.
Asset 2
Confirm version and patch status
Make sure your cPanel, WHM, or WP Squared installation is updated to a fixed version.
Asset 5
Assume patching may not remove persistence

If threat actors accessed the environment before patching, they may have planted backdoors.

Asset 4
Review logs and IOCs
Look for suspicious authentication activity, unexpected WHM access, unusual process execution, newly created users, changed configuration, or unexplained website modifications.
Asset 7
Monitor continuously after remediation

Watch for delayed activation of web shells, credential use, new admin activity, or suspicious outbound traffic.

What happened and how Eye Security can help now.

cPanel vulnerability

A critical cPanel vulnerability is under active exploitation

CVE-2026-41940 affects cPanel and WHM versions after 11.40 and before patched releases. The vulnerability can allow unauthenticated remote attackers to bypass authentication and gain unauthorised access to the WHM control panel with root privileges.

For hosting providers, MSPs, and organisations managing multiple websites, the impact can be significant. A compromised cPanel/WHM server can expose hosted websites, databases, credentials, and customer environments.

At least 44,000 IP addresses are likely compromised and involved in scanning and brute-force activity around April 30, according to Shadowserver data.

cPanel vulnerability
A critical cPanel vulnerability is under active exploitation

CVE-2026-41940 affects cPanel and WHM versions after 11.40 and before patched releases. The vulnerability can allow unauthenticated remote attackers to bypass authentication and gain unauthorised access to the WHM control panel with root privileges.

For hosting providers, MSPs, and organisations managing multiple websites, the impact can be significant. A compromised cPanel/WHM server can expose hosted websites, databases, credentials, and customer environments.

At least 44,000 IP addresses are likely compromised and involved in scanning and brute-force activity around April 30, according to Shadowserver data.

Business email compromise is the new threat to the German mid-market

One vulnerable control panel can become many customer problems

cPanel is widely used by hosting providers, MSPs, and IT service providers to manage websites and server environments at scale. When threat actors gain privileged access, they can:

  • access or alter hosted websites
  • steal credentials or configuration data
  • plant backdoors for later use
  • move across hosted environments
  • hide traces of compromise
  • return after patching if persistence remains

Patching may not be enough if exploitation happened before the update was applied.

Business email compromise is the new threat to the German mid-market
One vulnerable control panel can become many customer problems

cPanel is widely used by hosting providers, MSPs, and IT service providers to manage websites and server environments at scale. When threat actors gain privileged access, they can:

  • access or alter hosted websites
  • steal credentials or configuration data
  • plant backdoors for later use
  • move across hosted environments
  • hide traces of compromise
  • return after patching if persistence remains

Patching may not be enough if exploitation happened before the update was applied.

cPanel exposure review

Eye Security moved overnight to protect European customers

When the cPanel unauthenticated RCE risk emerged, Eye Security’s research and SOC teams moved fast.

Within hours, we:

  • analysed the vulnerability
  • reproduced the authentication bypass and root-level access path
  • scanned across our customer base
  • identified cPanel instances across dozens of customers
  • verified whether environments were patched, mitigated, or still at risk
  • began sharing indicators and scripts with the wider security community

Most identified customer environments were already safe, patched, or mitigated. But for organisations that are unsure of their cPanel status, the risk remains real.

cPanel exposure review
Eye Security moved overnight to protect European customers

When the cPanel unauthenticated RCE risk emerged, Eye Security’s research and SOC teams moved fast.

Within hours, we:

  • analysed the vulnerability
  • reproduced the authentication bypass and root-level access path
  • scanned across our customer base
  • identified cPanel instances across dozens of customers
  • verified whether environments were patched, mitigated, or still at risk
  • began sharing indicators and scripts with the wider security community

Most identified customer environments were already safe, patched, or mitigated. But for organisations that are unsure of their cPanel status, the risk remains real.

 

Urgent cPanel exposure support for European organisations

Eye Security can help MSPs, web hosters, and organisations running cPanel understand whether they are exposed and what to do next.

Where we support:

  • cPanel/WHM exposure review
  • detection of potentially affected assets
  • guidance on patching and mitigation
  • IOC-based checks
  • EDR/MDR monitoring for suspicious post-compromise activity
  • incident response support if compromise is suspected
  • support for MSPs managing multiple customer environments

For MSPs and hosting providers, we can also discuss temporary monitoring options for cPanel servers where compromise cannot be confidently ruled out.

cPanel CVE-2026-41940: Check exposure, patch status, and compromise risk