Critical cPanel Vulnerability Weaponized to Target Government and MSP Networks
A critical cPanel vulnerability is being actively exploited by multiple threat actors to deploy ransomware and breach servers, leading to widespread disruption.
The situation regarding the critical cPanel authentication bypass vulnerability (CVE-2026-41940) has escalated, with multiple threat actors now actively exploiting the flaw in the wild. The attacks have evolved from initial probing to mass exploitation, resulting in widespread website disruption, server breaches, and the deployment of ransomware [Help Net Security].
The attackers are targeting internet-facing cPanel instances to gain unauthorized access, deface websites, and encrypt data. Some of the observed campaigns involve a Go-based Linux ransomware strain that encrypts files and appends specific extensions to the compromised data. The broad reach of these attacks poses a significant threat to MSPs and organizations hosting services on vulnerable cPanel servers.
Administrators are urged to ensure their cPanel instances are fully patched and to monitor for any unauthorized access or unusual file activity. Given the active exploitation, organizations should prioritize patching and review their server logs for signs of compromise, as the vulnerability remains a high-priority target for various cybercriminal groups.