CISA Orders Federal Agencies to Patch Critical cPanel Bug by Sunday Amid Active Exploitation
CISA has ordered all federal agencies to patch CVE-2026-41940, a critical cPanel & WHM vulnerability with a CVSS score of 9.8, by May 3 as evidence shows active exploitation since February.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive requiring all federal agencies to patch CVE-2026-41940, a critical vulnerability in cPanel & WHM, by May 3. The bug, which carries a CVSS score of 9.8 out of 10, grants attackers full control over the host system, its configurations, databases, and all websites it manages. CISA confirmed Thursday that the vulnerability is being actively exploited, with evidence showing exploitation campaigns dating back to February.
cPanel and WHM are Linux-based web hosting control panel solutions owned by WebPros International, used to manage servers and websites across millions of domains. The vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected systems. Incident responders at Rapid7 warned that successful exploitation “grants an attacker control over the cPanel host system, its configurations and databases, and websites it manages.” Experts cautioned that hackers could use the bug to completely compromise a server, steal data, manipulate hosted data, or cause large-scale service disruptions.
The bug was first spotlighted earlier this week by cybersecurity researchers at watchTowr, who also released a tool allowing defenders to identify vulnerable hosts in their estates. Multiple cybersecurity firms reported that thousands of cPanel instances remain exposed to the internet and potentially vulnerable. In addition to releasing patches, cPanel provided a tool that allows companies to check if they have been compromised.
U.S. domain name registrar Namecheap released an advisory warning customers that emergency actions taken to address the vulnerability may temporarily restrict access to their cPanel and WHM interfaces. Benjamin Harris, CEO of watchTowr, noted that within hours of the initial cPanel advisory, nearly every major hosting provider globally had firewalled their own customers off their own product. “Hosting.com, Namecheap, KnownHost, HostPapa, InMotion and the rest all pulled the emergency brake because the alternative was watching their entire customer base get owned in real-time,” Harris said.
The CISA directive underscores the severity of the threat, requiring all federal civilian agencies to apply patches by the May 3 deadline. The agency’s Binding Operational Directive (BOD) 22-01 mandates that agencies remediate known exploited vulnerabilities within specified timeframes. This marks the latest in a series of emergency patching orders from CISA as the agency continues to track actively exploited vulnerabilities in widely used software.
The incident highlights the growing challenge of securing widely deployed web hosting infrastructure. With millions of domains relying on cPanel, the potential blast radius of a successful exploit is enormous. Harris warned that the increased use of AI in vulnerability research is accelerating the discovery and exploitation of such bugs. “Once again, we’re running around with half the Internet seemingly ablaze, and given the increased usage of AI in vulnerability research, we anticipate this new normal to become increasingly familiar,” he said.