Cisa · The Register
First posts come in of victims of critical cPanel vuln as 'millions' of sites potentially exposed
Compiled by KHAO Editorial — aggregated from 1 outlet. See llms.txt for citation guidance.
◌ Single Source
CISA has added a critical cPanel bug to its known-exploited list, confirming that attackers are already poking holes in one of the internet's most widely used hosting stacks.
Key facts
- The vulnerability, tracked as CVE-2026-41940, carries a near-worst-case CVSS score of 9.8 and affects all supported versions of cPanel and Web[Host Manager (WHM) released after version 11.40, along
- The attackers, they said, demanded $7,000 to unlock systems
- The US government's cybersecurity agency added the flaw to its Known Exploited Vulnerabilities catalog on Thursday, confirming attackers are not waiting
- It's not yet known how many organizations have been impacted by the vulnerability, but security firm Rapid7 used Shodan to identify roughly 1.5 million internet-exposed cPanel instances
Summary
The vulnerability, tracked as CVE-2026-41940, carries a near-worst-case CVSS score of 9.8 and affects all supported versions of cPanel and Web[Host Manager (WHM) released after version 11.40, along with WP Squared, a WordPress management layer built on top of the same platform. In plain terms, a successful exploit can hand over full control of the server. The US government's cybersecurity agency added the flaw to its Known Exploited Vulnerabilities catalog on Thursday, confirming attackers are not waiting around. Hosting provider KnownHost has been more explicit about what that looked like in practice, warning customers it had seen successful exploitation attempts before any fix was available.