cPanel CVE-2026-41940: Act before threat actors do.

CVE-2026-41940 is a critical authentication bypass vulnerability affecting cPanel and WHM. Public advisories describe it as a vulnerability in the login flow that can allow unauthenticated remote attackers to gain unauthorised access to the control panel. NCSC advisories also note public proof-of-concept code and reports of active exploitation.

In practical terms, this means an attacker may be able to access WHM without valid credentials. Because WHM is used to administer hosting environments, successful exploitation can create serious risk for websites, databases, server configurations, credentials, and customer environments hosted on the affected server.

cPanel and WHM are widely used by hosting providers, MSPs, web agencies, and organisations managing multiple websites or customer environments. A single compromised WHM server can therefore become a broader business and customer-impact issue.

The vulnerability is especially serious because it affects the authentication layer. Attackers do not necessarily need to steal a password first; the risk is that they can bypass authentication and access the control panel directly. Security reporting has described the issue as actively exploited in the wild, with emergency updates released for affected cPanel, WHM, and WP Squared versions.

The vulnerability affects cPanel, WHM, and WP Squared. Public reporting indicates that supported cPanel and WHM versions after 11.40 were affected before patched releases became available.

If you run cPanel/WHM or manage hosting environments for customers, you should verify your version and confirm that the relevant security update has been applied.

Yes. Multiple public sources report active exploitation of CVE-2026-41940 in the wild. NCSC advisories mention public PoC code and reports of active exploitation, while security reporting has described exploitation attempts dating back before public disclosure.

That is why organisations should not treat this as a routine patching task. If your cPanel/WHM instance was exposed before patching, you should also check for signs of compromise.

Patching is the first priority, but it may not be enough on its own. If exploitation occurred before the update was applied, attackers may already have accessed the environment. Depending on what they did, they may have created persistence, added or modified accounts, changed configuration, altered hosted websites, planted web shells, stolen credentials, or left backdoors for later use. This is why a response should include three steps:

1. Patch or confirm mitigation
2. Check for indicators of compromise
3. Monitor for suspicious post-patch activity

Patching closes the known vulnerability. It does not automatically prove the server was never accessed before the patch.

The highest-risk groups are:

• MSPs managing customer hosting environments
• web hosting providers
• web agencies maintaining customer websites
• organisations running internet-exposed cPanel/WHM servers
• companies using cPanel to manage multiple websites, databases, or customer environments

The risk is higher when WHM/cPanel management interfaces are publicly accessible, patch status is unclear, or there has been no post-patch compromise assessment.

Yes. This is one of the main concerns. cPanel and WHM are commonly used to manage many websites from one administrative environment. If a threat actor gains privileged access to WHM, the potential impact can extend beyond one website. It may affect multiple hosted domains, databases, user accounts, configuration files, and customer environments. For MSPs and hosting providers, this makes the issue both a technical risk and a customer trust issue.

Yes. Eye Security can help assess whether your cPanel/WHM environment is exposed, patched, or showing signs of compromise.

Eye Security can help with:

• cPanel/WHM exposure review
• confirming patch status
• an assume breach approach
• deploying EDR with 24/7 SOC as a tripwire for active infection or potential backdoors

Yes. MSPs and hosting providers are a key audience for this support because one vulnerable cPanel/WHM server can affect many downstream customers.

No. If you are concerned about cPanel/WHM exposure, you can request support even if you are not currently an Eye Security customer. Our team can help you understand the best next step based on your situation: exposure check, patch validation, compromise assessment, monitoring, or incident response.

If you suspect compromise, do not rely on patching alone. Preserve relevant logs, avoid making unnecessary changes that could destroy evidence, and contact an incident response team.

Recommended immediate actions:

• confirm patch status
• preserve cPanel/WHM, system, web server, and authentication logs
• restrict external access to management interfaces where possible
• review admin accounts and recent changes
• check for web shells, suspicious files, and persistence mechanisms
• rotate credentials where compromise is suspected
• monitor closely for suspicious post-patch activity
• escalate to incident response if there are signs of unauthorised access

For active incidents, use your incident response process or contact Eye Security using the form on this page.