cPanel bug compromises 40,000 servers

A cPanel bug is the kind of flaw that quietly turns into an internet-wide mess. cPanel and WHM sit on the control layer of web hosting — they manage websites, mail, databases, and server settings. So when a bug lets outsiders skip the login screen, the result is not a broken feature. It is full server control. That is what happened with CVE-2026-41940, and by May 5 the story had already moved from “patch now” to “assume some machines are already burned.” (support.cpanel.net) What is the bug, exactly? It is an authentication-bypass flaw in the cPanel and WHM login flow. In plain English, an attacker does not need valid credentials if the target is vulnerable. cPanel says the issue affects all versions after 11.40, and it pushed fixes across supported branches starting April 28, 2026. The patched builds include 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5 or newer. WP Squared got a fix too. (support.cpanel.net) Why is cPanel the dangerous place to have this flaw? Because cPanel is not just one app on a server. It is the dashboard with keys to the kingdom. If an attacker gets in there, they can change site files, create accounts, move through mail and database settings, and often pivot into the rest of the machine. On shared hosting, one compromised control panel can put a lot of customer sites at risk at once. That is why this bug mattered the minute it went public. (([techcrunch.com)How fast did attackers move? Basically immediately. Censys said the flaw appeared to be weaponized by multiple third parties within 24 hours of disclosure. CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog on April 30, just two days after cPanel published its advisory, which is the government’s way of saying this is not theoretical anymore. (c([censys.com)ow big is the fallout? The cleanest scary number is from Shadowserver. It saw at least 44,000 likely compromised IPs scanning or brute-forcing its honeypots on April 30. SecurityWeek, citing security researchers and telemetry from the same wave, said more than 40,000 servers were likely compromised in the ongoing exploitation. That does not mean every exposed cPanel host got owned — but it does mean the attack traffic was huge and a lot of infected systems were already being reused as part of the next wave. (da([dashboard.shadowserver.org)at are attackers doing after they get in? Not one thing — several things. One path drops Mirai variants, which turns servers into botnet nodes. Another path deploys a ransomware strain called Sorry that encrypts files and appends a “.sorry” extension. Censys also said thousands of cPanel hosts were already exposing encrypted files through open directories, which suggests automation at scale rather than a few hands-on intrusions. (cen([censys.com)this just random internet crime? Not entirely. There is also targeted activity mixed into the chaos. Ctrl-Alt-Intel tracked one threat actor abusing the cPanel flaw against government and military domains in Southeast Asia, plus MSPs and hosting providers in countries including the Philippines, Laos, Canada, South Africa, and the U.S. The same reporting tied the actor to persistence tools like OpenVPN and Ligolo, which points to longer-term access, not just smash-and-grab ransomware. (theh([thehackernews.com) should admins assume now? Assume patching is necessary but not sufficient. cPanel’s own guidance says update immediately, verify the installed build, and restart the cpsrvd service. But if a server was exposed before patching, the real question is whether someone already used the bypass. That means checking for indicators of compromise, unexpected admin access, new persistence, altered files, and outbound scanning behavior. A patched but previously compromised host is like changing the locks after the burglar moved into the basement. (suppo([support.cpanel.net)ottom line? This is now an incident-response story, not just a vulnerability story. The bug was critical on paper, but the thing that changed this week is speed and scale — fast weaponization, tens of thousands of likely compromised systems, and active follow-on abuse ranging from botnets to ransomware. If a cPanel server was internet-exposed and not patched immediately after April 28, 2026, the safest assumption is that it needs to be investigated like a breach. (censys.com)