cPanel hits 1.5M exposed instances

cPanel is the admin panel sitting behind a huge slice of shared hosting, reseller hosting, and small-business web infrastructure. When it breaks, the blast radius is weirdly large — not because cPanel is glamorous, but because it is the control room for mail, domains, databases, and server settings. That is why CVE-2026-41940 landed so hard this week. cPanel says it is an authentication-bypass bug affecting all versions after 11.40, patches went out on April 28, 2026, and multiple security outlets say attackers were already exploiting it in the wild before the fix arrived. ### What actually broke? Basically, the bug sits in cPanel and WHM authentication paths. The reported effect is nasty — an unauthenticated attacker can get past login checks and reach privileged functionality without valid credentials. That is why headlines are calling it a passwordless takeover bug rather than just “another web panel flaw.” cPanel’s own advisory labels it an authentication bypass and tells admins to patch immediately, which is about as direct as these notices get. ### Why does cPanel matter so much? Because cPanel is not one app on one server. It is the front door to lots of hosting accounts and server-management tasks — email, DNS, databases, backups, SSL, user provisioning, the whole stack. If an attacker gets into WHM, the higher-level admin console, the damage can spread far beyond a single website. That turns one software bug into a supply-chain-style hosting problem for providers, resellers, and everyone downstream. ### Where does the “1.5 million” figure come from? That number is coming from internet-exposure counting, not from confirmed compromises. Security reporting around the bug points to roughly 1.5 million internet-facing cPanel and WHM instances visible on common management ports like 2083, 2087, 2095, and 2096. The important distinction is this — exposed does not mean hacked. But it does mean a very large target pool existed while the bug was live and while proof-of-concept material was circulating. ### Was this really a zero-day? Turns out, yes in the practical sense that matters to defenders. Reporting says exploitation attempts trace back to late February 2026, while cPanel’s public fix shipped on April 28, 2026. SecurityWeek describes it as a zero-day exploited for months, and BleepingComputer says the same bug had been used in the wild before public disclosure. That gap — weeks of live abuse before patching — is what makes this story more serious than a routine emergency update. ### Which versions are fixed? cPanel’s patched builds start at 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5. There is also a special path for older CentOS 6 and CloudLinux 6 systems on 110.0.50, which can move to 110.0.103. cPanel also tells admins to restart the cpsrvd service after updating, because patching without restarting the service can leave the vulnerable process in memory. ### Why are defenders treating this as urgent? Because the attack path is simple, the exposed population is large, and opportunistic scanning starts fast once details leak. One report says tens of thousands of online dashboards may already have been compromised or at least targeted. Another says a public proof of concept is now available. That combination — easy remote access plus internet-wide visibility plus public exploit material — is exactly how mass exploitation happens. ### What should operators do right now? Patch first. Then verify the running build. Then hard-restart cpsrvd. After that, check for indicators of compromise and lock down management access so these ports are not broadly exposed to the internet if they do not need to be. The catch is that some servers will not auto-update if admins pinned versions or disabled updates, so those boxes need manual attention now, not later. ### Bottom line? This is not just a cPanel bug. It is a hosting-control-plane bug with a huge exposed footprint, evidence of pre-patch exploitation, and working fixes already out. If a provider has not patched since April 28, 2026, they should assume the window for a quiet, low-drama update has already closed.