Active CVE-2026-41940 attacks now observed on ~40,000 cPanel/WHM servers

A cPanel server is the control room for a lot of shared hosting. One panel can manage websites, databases, email, DNS, backups, and admin accounts for many customers at once. That is why CVE-2026-41940 matters so much — it is not just “a bug in a web app.” It is a pre-authentication path to administrative control over the whole hosting plane, and the attacks now look big enough to count in the tens of thousands. What changed in the last few days is the scale and the shape of the abuse. Early reporting was about a critical zero-day that had likely been exploited quietly for months before cPanel patched it on April 28, 2026. By May 4, the picture had widened — Shadowserver was seeing roughly 44,000 unique IPs tied to cPanel-related scanning, exploit traffic, or brute-force activity against its sensors, and multiple campaigns were showing up at once. So what is the bug, in plain English? The flaw sits in the cPanel and WHM login flow. Researchers found that the software could write a session file to disk before authentication fully finished, and an attacker could abuse special characters in headers or cookies to inject values into that file. Then the attacker could trigger a reload and get logged in with injected administrative credentials. Basically, the software was tricked into preparing its own fake badge and then accepting it. Why is that worse than a normal website compromise? Because cPanel is upstream of everything else on the box. If an attacker gets admin access there, the attacker can change server settings, create accounts, tamper with databases, read or alter hosted sites, and pivot into email and other customer services. On shared hosting, one exposed management interface can turn into a many-tenant incident fast. The campaign details make that risk feel very real. One cluster of attacks is dropping a Go-based Linux ransomware strain that appends “.sorry” to encrypted files and leaves Tox contact instructions. Censys reportedly found 8,859 hosts exposing open directories with “.sorry” filenames, with 7,135 of those identified as running cPanel or WHM. Other victims saw defacements, backup wiping, and compromised servers turned into launchpads for more attacks. There is also a separate botnet angle. HostMyCode described a parallel campaign using Mirai variants on vulnerable cPanel systems. In those cases, attackers were not just smashing files — they were adding admin users, weakening logging, changing firewall rules, dropping miners and DDoS clients, and harvesting more credentials. That tells you this is not one actor with one goal. It is a scramble. The patch story is straightforward, but the catch is operational. cPanel says all versions after 11.40 were affected, and patched builds were released for supported branches including 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5, plus WP Squared 136.1.7. But patching alone is not enough if the server was already hit before the update. cPanel has kept revising its detection guidance because early detection scripts produced false positives. The bottom line is simple. This is what happens when an internet-facing admin plane breaks open. One flaw in one login path can spill across thousands of servers and the customer workloads behind them. If you run cPanel, the urgent job is not just “update now.” It is update, restart the service, check for compromise, and assume exposed management ports are a permanent liability, not a convenience.