Critical cPanel Authentication Bypass Triggers Widespread Exploitation Campaign
A critical authentication bypass vulnerability in cPanel software is under heavy, active exploitation, leading to widespread server compromises and ransomware attacks just days after its disclosure.
A critical authentication bypass vulnerability in cPanel, WebHost Manager (WHM), and WP Squared products is currently being exploited by multiple threat actors, placing millions of websites at risk. Assigned as CVE-2026-41940, the flaw carries a critical CVSS score of 9.8 and allows unauthorized attackers to gain full administrative control over affected servers Dark Reading.
The vulnerability functions as an authentication bypass that grants attackers administrative access without requiring credentials or triggering two-factor authentication (2FA) Dark Reading. Following the public disclosure of the flaw on April 28 and the subsequent release of a proof-of-concept (PoC) exploit by WatchTowr Labs on April 29, the barrier to entry for exploitation dropped significantly. Security researchers noted that the vendor's patch was "surgical," involving changes to only three files, which provided a clear roadmap for attackers to reverse-engineer the vulnerability once the fix was released Dark Reading.
The impact of this flaw is widespread, with Censys reporting approximately 15,000 potentially compromised instances within the first 24 hours of disclosure Dark Reading. Managed hosting provider KnownHost identified the flaw as a zero-day, noting that exploitation attempts had been occurring for at least 30 days prior to the official patch, with evidence dating back to February 23 Dark Reading. Defused, a cybersecurity firm, reported nearly 1,000 exploit attempts shortly after the disclosure, noting that the activity shows significant geographical and ASN variance Dark Reading.
Attackers are leveraging this access to deploy a variety of malicious payloads. Victims have reported "highly organized, multistage" operations where servers are infected with Mirai botnet variants and a specific ransomware strain that appends files with a ".sorry" extension Dark Reading. Because the exploit bypasses the management plane entirely, traditional security measures like 2FA have proven ineffective at stopping the initial compromise Dark Reading.
cPanel released security updates for all supported versions of its software on April 28 to address the vulnerability Dark Reading. Despite the availability of these patches, the speed at which threat actors weaponized the PoC has left many administrators struggling to secure their environments before exploitation occurs Dark Reading.
This incident highlights the growing challenge of "patch-gap" exploitation, where the release of a security update—and the accompanying technical analysis—serves as a catalyst for rapid, automated attacks. As threat actors increasingly monitor patch diffs to weaponize vulnerabilities, the window for organizations to secure critical infrastructure continues to shrink. The widespread nature of this campaign underscores the systemic risk posed by vulnerabilities in ubiquitous web hosting control panels Dark Reading.