Critical cPanel Authentication Bypass Under Active Exploitation
cPanel has patched a critical zero-day authentication bypass vulnerability, CVE-2026-41940, which is currently being actively exploited to gain full administrative access to servers.

cPanel has released an urgent security update to address CVE-2026-41940, a critical authentication bypass vulnerability affecting cPanel and WHM. The flaw allows unauthenticated attackers to gain full administrative control over affected servers without requiring valid credentials. Given the severity of the vulnerability and the ease of exploitation, it is currently being actively targeted in the wild as a zero-day Check Point Research.
The vulnerability poses a significant risk to web hosting environments, as it bypasses standard login protections entirely. Once an attacker successfully exploits the flaw, they can execute commands or modify configurations with the same privileges as a root administrator. The widespread nature of cPanel installations makes this a high-value target for threat actors looking to compromise multiple websites or infrastructure components simultaneously Check Point Research.
The scale of the exploitation attempts is substantial. Following the disclosure of the vulnerability, the Shadowserver Foundation reported observing approximately 44,000 unique internet addresses actively scanning for or attacking decoy systems to identify vulnerable targets Check Point Research. This rapid surge in activity underscores the necessity for administrators to prioritize patching immediately.
cPanel issued the necessary patches on April 28 to remediate the vulnerability. Organizations and server administrators are strongly advised to update their cPanel and WHM installations to the latest version to mitigate the risk of unauthorized access. For those unable to patch immediately, Check Point has noted that its Intrusion Prevention System (IPS) provides specific protection against exploitation attempts targeting this vulnerability Check Point Research.
This incident highlights the ongoing trend of critical vulnerabilities in management interfaces being weaponized shortly after discovery. As attackers continue to automate the scanning and exploitation of zero-day flaws in widely used web hosting software, the window for remediation remains narrow. Administrators should monitor their logs for suspicious activity and ensure that all security updates are applied as part of a proactive maintenance cycle Check Point Research.