Millions of Sites Exposed as cPanel Flaw Exploited Before Patch Shipped

Roughly 1.5 million internet-exposed cPanel instances. A CVSS score of 9.8 out of 10. Exploitation dating back to February. A patch that didn’t arrive until late April.

That gap — two months between first known attacks and a fix — is the window that matters for anyone running a website through cPanel or WebHost Manager (WHM). Which is to say: a significant chunk of the internet.

CVE-2026-41940 is an authentication bypass affecting every supported version of cPanel and WHM released after version 11.40, along with WP Squared, a WordPress management layer built on the same platform. Successful exploitation hands an attacker full administrative control of the server — root access, databases, email, the works.

The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities catalog on May 1, 2026. Attacks are not theoretical. They are underway.

A Two-Month Head Start

Hosting provider KnownHost was among the first to go public. CEO Daniel Pearson wrote on Reddit that the company had “seen execution attempts as early as 2/23/2026” — two full months before cPanel shipped its patch on April 28.

KnownHost reported roughly 30 servers showing signs of unauthorized access attempts across its network. Pearson characterized these as attempts rather than confirmed compromises. But the timeline is stark: if attackers were probing in February and the fix didn’t land until late April, every unpatched cPanel instance in between was potentially exposed.

Canada’s national cybersecurity agency issued its own advisory, warning that the bug could compromise websites on shared hosting servers and that “exploitation is highly probable.”

How the Attack Works

The vulnerability is a Carriage Return Line Feed (CRLF) injection in cPanel’s login and session handling. According to a technical analysis by security firm watchTowr, the cPanel service daemon (cpsrvd) writes a session file to disk before authentication occurs. An attacker can manipulate a cookie value to bypass encryption, inject raw control characters via a malicious authorization header, and insert arbitrary properties — such as user=root — into their session file.

The system doesn’t sanitize the data. After reloading the session from the modified file, the attacker holds administrator-level access.

watchTowr has published a proof-of-concept exploit. The barrier to entry for copycat attackers is now essentially zero.

Ransomware Already Deployed

The consequences have moved beyond probing. A small business owner posted on Reddit that their company was hit with ransomware through a standard cPanel setup, with attackers demanding $7,000 to unlock systems. The victim said their hosting provider appeared to be struggling with the scope of the incident.

The claim, reported by The Register, is anecdotal and has not been independently confirmed. But if accurate, it signals that criminals are using this access to encrypt and extort — not just lurk.

What Website Operators Should Do Now

cPanel has released patches across eight supported versions, from 11.86 through 11.136. The fix requires running /scripts/upcp --force followed by a hard restart of the cPanel service. The company also released a detection script that checks session files for indicators of compromise, though it was briefly pulled on May 1 to address false positives before being republished in updated form.

For administrators who cannot patch immediately, cPanel recommends blocking inbound traffic on ports 2083, 2087, 2095, and 2096 at the firewall — or stopping the cPanel and Web Disk services entirely.

Major hosting providers have responded in force. Namecheap temporarily blocked all customer access to cPanel while applying patches. HostGator described the bug as a “critical authentication-bypass exploit” and patched its systems.

But for the millions of smaller operators — the freelance web designer, the local business on a shared hosting plan, the blogger who hasn’t logged into their server in months — security depends almost entirely on whether their provider has already handled it.

If you run cPanel and don’t know your patch status, now is the time to find out.

Sources

First reports come in of victims of critical cPanel vuln as ‘millions’ of sites potentially exposed — The Register
Hackers are actively exploiting a bug in cPanel, used by millions of websites — TechCrunch
Security: CVE-2026-41940 - cPanel & WHM / WP2 Security Update 04/28/2026 — cPanel (official advisory)
CVE-2026-41940: cPanel & WHM Authentication Bypass — Rapid7

Discussion (10)

realpolitik_rc

CISA added this to the KEV catalog on May 1st, which means federal agencies are now on the clock — they've got until roughly the end of May to patch per BOD 22-01. But of course that only covers federal systems. The real concern is the roughly 1.5 million exposed instances the article mentions. Most of those are small operators who will never see a CISA directive. Would not be surprised if we see a broader advisory from CISA specifically targeting hosting providers in the next week.

18 ↑

Worth clarifying for people who might not catch this from the article: the detection script is for checking whether you were ALREADY compromised. It doesn't fix anything. The actual fix is running `/scripts/upcp --force` and then doing a hard restart of cPanel. If you can't patch immediately, block ports 2083, 2087, 2095, and 2096 at your firewall. Don't just run the detection script and assume you're safe.

27 ↑

marcus_t

"Roughly 1.5 million internet-exposed cPanel instances" — where does this number come from? Shodan? Censys? The article doesn't cite a source for this figure. Not saying it's wrong, but it'd be helpful to know the methodology. Is that instances with ports 2083/2087 publicly accessible, or is it a broader count?

7 ↑

grumpydad1958

Back when I started in web hosting you managed your own server with SSH and you LIKED it. None of this clicky-clicky control panel nonsense. Half the problem is cPanel making it "easy" so every person with $4/month thinks they're a sysadmin. Now we've got 1.5 million ticking time bombs because nobody wants to learn a command line anymore. *sigh*

24 ↑

SarahK_webdev

So should I change my WordPress password?? I use cPanel through Namecheap and I'm freeking out a little

3 ↑

ok update I checked and Namecheap says they patched everything already on their end. So I think I'm good?? Still changing my passwords to be safe

2 ↑

njohns99

Namecheap blocked ALL customer access to cPanel?? That must have been chaos. Can you imagine being a business owner and suddenly you can't even get into your own control panel? I get why they did it but yikes

5 ↑

t0fusw0rd

This is why I moved everything to a static site generator in 2019. No database, no PHP, no control panel, no problems. Everyone laughed at me for having a "boring" website. Who's laughing now???

31 ↑

MisterFrostee

they released a detection script and then PULLED IT because of false positives???? what were they doing for two months??? you're telling me they knew since february and the best they could do is a broken detection tool. inexcusable.

14 ↑

dav3link

my cousin runs a fishing charter website on some $2/mo host and I guarantee you he has no idea what cPanel even is, let alone that it needs patching. that's the real story here - millions of small businesses that don't have IT departments and their hosting providers might or might not be on top of this

9 ↑