Exploit Cyber-Frenzy Threatens Millions via Critical cPanel Vulnerability

THREAT INTELLIGENCE APPLICATION SECURITY CYBERATTACKS & DATA BREACHES VULNERABILITIES & THREATS NEWS Exploit Cyber-Frenzy Threatens Millions via Critical cPanel Vulnerability Shortly after the authentication-bypass flaw was disclosed multiple proof-of-concept exploits appeared, and one researcher claims there's been zero-day activity for at least a month. Rob Wright,Senior News Director,Dark Reading May 4, 2026 5 Min Read SOURCE: IB PHOTOGRAPHY VIA ALAMY STOCK PHOTO A critical authentication bypass flaw in cPanel software products has come under heavy exploitation from a variety of threat actors shortly after public disclosure, putting millions of websites at risk via tens of thousands of compromised instances. On April 28, the software vendor, which specializes in Web hosting control-panel software, issued a security update to address a vulnerability affecting all supported versions of cPanel, WebHost Manager (WHM), and WP Squared products. On April 29, the flaw was identified as CVE-2026-41940 and assigned a critical CVSS score of 9.8.  On the same day, WatchTowr Labs published a proof-of-concept (PoC) exploit and a technical analysis of the vulnerability, which researchers described as a "disaster" flaw that allows attackers to gain administrative access and take over servers and hosted websites. The plot thickened considerably when KnownHost, which offers managed cPanel hosting, flagged CVE-2026-41940 as a zero-day vulnerability, with approximately 30 servers showing signs of attempted exploitation. In follow-up posts on Reddit, KnownHost CEO Daniel Pearson confirmed the vulnerability had been exploited for "at least for the last 30 days," with signs of attempts as far back as Feb. 23. Related:Vect 2.0 Ransomware Acts as Wiper, Thanks to Design Error Meanwhile, Internet scanning from Censys showed the cPanel flaw came under attack from multiple threat actors within 24 hours of disclosure, illustrating once again that security teams these days have little time to patch critical flaws before exploitation begins.  Fast Exploitation for CVE-2026-41940  Censys said its scans revealed approximately 15,000 potentially compromised instances within the first 24 hours following disclosure. Some of the attacks deployed Mirai botnet variants, while most vulnerable instances were hit with a ransomware that encrypts and appends files with a ".sorry" extension.  One victim, Yousef Alsahijan, confirmed his server was hit with both botnet malware and the "sorry" ransomware in what he described as a "highly organized, multistage operation" rather than a random, opportunistic attack. "The entire attack chain from initial access to full encryption happened within minutes," Alsahijan wrote on LinkedIn. "No credentials were needed. 2FA [two-factor authentication] did not help." The exploitation activity has increased in recent days, according to Simo Kohonen, founder and CEO of cybersecurity vendor Defused. "We've seen almost 1,000 exploit attempts since the vulnerability dropped with wide geographical and ASN variance," Kohonen tells Dark Reading. "Given that our honeypots represent a small surface area of the 800k+ cPanel instances indexing sites like Shodan lists, it's safe to say exploitation is extremely heavy at the moment." Related:Feuding Ransomware Groups Leak Each Other's Data Experts say several factors contributed to the rapid exploitation of CVE-2026-41940. Sıla Özeren Hacıoğlu, associate security research engineer at Picus Security, says, for starters, the vulnerability was known to at least some attackers prior to disclosure. "KnownHost confirmed in-the-wild exploitation was ongoing against the cPanel/WHM management plane, so attackers weren't starting from scratch on disclosure day," she says. "They were already tooled up." Furthermore, Hacıoğlu notes that the differences between vulnerable versions and cPanel's patches were "quite small and pointed," amounting to just three files with some key changes that become obvious during patch diffing. "That kind of surgical patch is essentially a road map [for attackers]," she says. "Once the WatchTowr write-up landed with the full chain explained, weaponization for anyone who hadn't already figured it out was a short hop." Kohonen says a large portion of the exploitation activity observed by Defused has copied WatchTowr's PoC exploit exactly, thus "the initial wave of activity was quite likely driven by it." But he notes other PoC exploits dropped around the same time and have shown up in Defused honeypots, including one called "cPanel Sniper." Related:North Korea's Lazarus Targets macOS Users via ClickFix Other issues contributed to the wave of attacks against the authentication bypass flaw. Hacıoğlu says cPanel's initial advisory was "notably terse," and merely described the flaw as "an issue with session loading and saving." Such descriptions don't slow down attackers, she says, because they can patch diff, but they can slow down defenders that are trying to assess risk and prioritize patching.  "Add to that the fact that the vulnerability hits all currently supported versions, runs on a management interface typically exposed on port 2087, and lands on infrastructure powering around 70 million domains, and you have an unusually large, uniform, reachable attack surface," she says. Time is Not on Defenders' Side CVE-2026-41940 is the latest example of a critical vulnerability that came under heavy exploitation in a matter of hours, rather than days or weeks. Hacıoğlu says this is part of a larger, consistent trend where security teams have about a 24- to 48-hour window to patch critical bugs in widely-deployed edge or management software before attacks begin. "Patch diffing has been industrialized, with mature toolchains for binary and source diffing, and several research groups now publish detailed technical breakdowns within days," she says. "Mass scanning infrastructure is also cheap and ambient now, so once a working PoC exists, untargeted exploitation across the entire IPv4 space is a matter of hours." Additionally, Hacıoğlu says edge devices and management panels have been attractive targets for threat actors in the past because they're internet-facing products with typically large install bases, and "patching cycles in shared hosting and enterprise environments are often slow." But organizations can't afford to be slow with CVE-2026-41940, given the widespread attacks and types of threats converging on the flaw. In a blog post on Friday, Hacıoğlu warned that the vulnerability was wormable, and that "mass scripted exploitation against the ~1.5M exposed instances is feasible." Picus Security urged customers to upgrade to fixed versions immediately and to rotate credentials, including root-level account and WHM reseller passwords, API tokens, and SSH keys stored in WHM-managed accounts. Additionally, security teams should purge cPanel sessions and hunt for signs of persistence, such as custom WHM hooks. Lastly, if organizations cannot immediately patch their cPanel software, Picus Security recommends blocking inbound traffic to inbound TCP/2083, TCP/2087, TCP/2095, TCP/2096, which Hacıoğlu noted was what several major hosting providers have done for a temporary mitigation.  Don't miss the latest Dark Reading Confidential podcast, NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later, for a candid conversation with Chris Inglis, head civilian in charge of the NSA during the Edward Snowden affair. Inglis reflects what the NSA should have done better, what he wants CISOs to know about protecting against their own insider threats, and what his reaction would be if Snowden received a pardon. Listen now! About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Sysdig 2025 Cloud-Native Security and Usage Report Access More Research Webinars How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap More Webinars You May Also Like THREAT INTELLIGENCE Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish by Jai Vijayan MAR 17, 2026 THREAT INTELLIGENCE Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi MAR 06, 2026 THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 Editor's Choice CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 IDENTITY & ACCESS MANAGEMENT SECURITY Oracle Red Bull Racing Team Revs Up Automation to Boost Security byArielle Waldman APR 30, 2026 5 MIN READ CYBER RISK Claude Mythos Fears Startle Japan's Financial Services Sector byNate Nelson APR 30, 2026 5 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars How Well Can You See What's in Your Cloud? THURS, JUNE 4, 2026 AT 1:00PM EST Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST More Webinars BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS