Timeline reveals active exploitation of cPanel CVE-2026-41940, Lyrie.ai reports

Lyrie.ai said Tuesday that exploitation of cPanel vulnerability CVE-2026-41940 began as early as Feb. 23, 2026, according to a timeline the company posted on X. The post said the bug was later tied to campaigns against Southeast Asian defense infrastructure and that public disclosure followed on April 29. cPanel has separately confirmed the flaw affected all versions after 11.40 and said it released fixes on April 28 across supported branches. CVE-2026-41940 is an authentication-bypass flaw in cPanel & WHM’s login flow that lets unauthenticated remote attackers gain access to the control panel, according to the National Vulnerability Database. NVD lists a CVSS 3.1 score of 9.8, while cPanel said the issue sat in the product’s session-management layer and involved a Basic authentication path that lacked the sanitization used elsewhere. (cpanel.net) ### How early does the new timeline say attackers were using the bug? Lyrie.ai’s June 2 thread said observed exploitation dated to Feb. 23, more than two months before the vendor published its support advisory. The company’s post also put public disclosure on April 29 and estimated exposure at roughly 1.5 million servers and 70 million domains worldwide. (nvd.nist.gov) April 28 is the date cPanel gives for its initial security update. In a May 10 follow-up, cPanel said it confirmed the report on April 27 at 10:47 CDT, published its support article on April 28 at 12:08 CDT, merged code fixes at 12:30 CDT, and published updated builds at 16:19 CDT. ### What exactly was broken inside cPanel? cPanel said the flaw was in the session-management layer, where two code paths wrote session files to disk. (cyberunit.com) One path sanitized input, cPanel said, but a second path used during Basic authentication did not, creating a condition in which a crafted request could make an unauthenticated session appear authenticated. (cpanel.net) NVD describes the same issue more broadly as an authentication bypass in the login flow affecting cPanel and WHM versions after 11.40. cPanel said WP Squared up to version 11.136.1.6 was also affected and that no other WebPros products were involved. ### When did governments and defenders formally flag active exploitation? CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog on April 30, citing evidence of active exploitation. cPanel’s May 10 post said the KEV listing came on May 1, reflecting a date difference between the U.S. agency notice and the vendor’s recap. (cpanel.net) (nvd.nist.gov) Australia’s Cyber Security Centre said on May 1 it was aware of active exploitation in Australia. The ACSC alert said the vulnerability could let unauthenticated attackers access the control panel and conduct remote code execution, and noted that managed service providers had been affected, compromising customer environments. (cisa.gov) ### Which versions were patched, and what are operators supposed to do now? cPanel’s support advisory lists patched builds including 11.86.0.41, 11.94.0.28, 11.102.0.39, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20 and 11.136.0.5, plus WP Squared 136.1.7. The company told customers to update immediately, verify the installed version and restart the cpsrvd service. (cyber.gov.au) May 10 is also when cPanel said more than 98% of servers worldwide were already running an updated version. For systems that could not be updated immediately, the company said customers could block cpsrvd ports, apply ModSecurity rules and use its detection script to scan session files for indicators of compromise. ### What is the next concrete place to watch? (support.cpanel.net) cPanel’s support article remains the main source for patched-version lists, mitigation steps and the vendor detection script, which the company said it revised several times between April 29 and May 11 to reduce false positives. Australia’s ACSC said organizations using third-party managed cPanel environments should contact those providers to confirm patching and monitoring. (support.cpanel.net) (cpanel.net)