Critical cPanel Bug CVE-2026-41940 Under Active Attack as CISA Adds to KEV Catalog
CISA has added a critical cPanel vulnerability (CVE-2026-41940, CVSS 9.8) to its Known Exploited Vulnerabilities catalog as reports emerge of ransomware demands and widespread exploitation.
CISA has added a critical cPanel vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming that attackers are actively exploiting the flaw to compromise web hosting servers. The vulnerability, tracked as CVE-2026-41940, carries a near-worst-case CVSS score of 9.8 and affects all supported versions of cPanel and WebHost Manager (WHM) released after version 11.40, as well as the WP Squared WordPress management platform. A successful exploit can grant attackers full control over the affected server.
According to hosting provider KnownHost, exploitation attempts were observed as early as February 23, 2026, well before cPanel shipped patches on April 28. In a Reddit post, KnownHost CEO Daniel Pearson warned customers that attackers had already achieved successful compromises and urged users to restrict access and assume systems could be compromised if left unpatched. Namecheap, another major hosting provider, temporarily blocked access to cPanel and WHM until fixes were ready and has since begun rolling out updates.
Early reports indicate that attackers are using the vulnerability to deploy ransomware. A small business owner posting on Reddit claimed their company was hit with a $7,000 ransom demand after running a standard cPanel setup, adding that their hosting provider appeared overwhelmed by the incident. While anecdotal, this suggests the bug is being weaponized for extortion rather than just data theft or reconnaissance.
Security firm Rapid7,000 ransom demand after running a standard cPanel setup, adding that their hosting provider appeared overwhelmed by the incident. While anecdotal, this suggests the bug is being weaponized for extortion rather than just data theft or reconnaissance.
Security firm Rapid7 used Shodan to identify roughly 1.5 million internet-exposed cPanel instances, highlighting the massive attack surface. cPanel underpins hosting for tens of millions of websites, many run by small businesses that rely on providers to handle security. For these organizations, the ability to patch quickly is often limited, leaving them vulnerable to a bug that is already being actively exploited.
CISA's inclusion of CVE-2026-41940 in the KEV catalog mandates that federal agencies apply patches by May 21, 2026, but the broader impact extends far beyond government networks. The vulnerability represents a significant threat to the web hosting ecosystem, and organizations using cPanel or WHM should prioritize patching and review their systems for signs of compromise.