First reports come in of victims of critical cPanel vuln as 'millions' of sites potentially exposed
CISA has added a critical cPanel vulnerability, CVE-2026-41940, to its known-exploited list, confirming active attacks before patches were available. The flaw affects nearly all recent versions of cPanel, WHM, and WP Squared, allowing full server control if exploited. Hosting providers including KnownHost and Namecheap reported exploitation attempts and took emergency measures, with at least one victim receiving a $7,000 ransomware demand.
- ▪CISA added the cPanel vulnerability CVE-2026-41940 to its Known Exploited Vulnerabilities catalog due to active exploitation.
- ▪The vulnerability has a CVSS score of 9.8 and affects all supported cPanel and WHM versions after 11.40, as well as WP Squared.
- ▪KnownHost reported exploitation attempts as early as February 23, 2026, prior to the release of patches.
- ▪Namecheap temporarily blocked access to cPanel and WHM to prevent exploitation while deploying fixes.
- ▪A small business victim reported being hit with ransomware and a $7,000 ransom demand following the breach.
Opening excerpt (first ~120 words) tap to expand
Cyber-crime First reports come in of victims of critical cPanel vuln as 'millions' of sites potentially exposed Exploitation was underway before patches landed, at least one victim reports ransomware demand Carly Page Fri 1 May 2026 // 13:10 UTC CISA has added a critical cPanel bug to its known-exploited list, confirming that attackers are already poking holes in one of the internet's most widely used hosting stacks. The vulnerability, tracked as CVE-2026-41940, carries a near-worst-case CVSS score of 9.8 and affects all supported versions of cPanel and Web[Host Manager (WHM) released after version 11.40, along with WP Squared, a WordPress management layer built on top of the same platform. In plain terms, a successful exploit can hand over full control of the server.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at The Register.
Discussion
0 commentsMore from The Register
