← CIO Briefings · Critical Impact ACTION REQUIRED

cPanel Zero-Day Exploited Before Patch — Hosting Infrastructure Under Active Attack

A critical authentication bypass in cPanel and WHM web hosting management software was exploited in the wild before the vendor issued a patch. The vulnerability gives attackers full administrative control of affected servers without needing a password. Organisations running cPanel/WHM directly or using cPanel-based hosting providers need immediate action.

3 min read

What Happened

cPanel and WHM — the software used to manage tens of millions of websites across shared and managed web hosting environments globally — contains a critical authentication bypass flaw (CVE-2026-41940, severity score 9.8 out of 10) that was exploited by attackers before a fix was available. By exploiting this flaw, an attacker can gain full administrative control of a web hosting server without knowing any password. A working attack script is now publicly available, which means the attacker pool has expanded from sophisticated groups to anyone with basic technical knowledge. The patch was released April 29, 2026.

Business Impact

The scope of this vulnerability extends beyond organisations that directly manage cPanel/WHM servers. Any organisation whose website, web application, or business-critical digital service is hosted on a cPanel-based platform — including many managed web hosting and shared hosting providers — is potentially affected if their hosting provider has not yet patched.

An attacker who gains administrative access to a hosting server through this flaw can:

  • Access all websites and databases hosted on that server, including customer data, payment information, and proprietary business content
  • Intercept or redirect email for all hosted domains — a direct route to business email compromise
  • Modify website content to inject fraudulent payment forms (Magecart-style attacks)
  • Access deployment credentials and API keys stored in website application configuration files

For organisations using reseller hosting arrangements — where a single server administrator manages many customer websites — a single exploit can expose all tenants simultaneously.

Board-Ready Summary

  • The authentication bypass allowed attackers to take over web servers without credentials during a six-day window before the patch was released; exploitation is confirmed
  • Any business website or web application on an unpatched cPanel hosting platform is at risk of full compromise, including customer data theft and content manipulation
  • Immediate action is required: confirm your hosting provider has patched, or apply the emergency update yourself if you self-manage cPanel/WHM servers

  1. Immediately (today): If your organisation directly manages cPanel/WHM servers, apply the emergency update by running upcp --force or using the WHM Update Manager. Confirm the installed version is 120.0.24 (LTS), 122.0.16 (Stable), or 124.0.6 (Current) or later.

  2. Immediately (today): Contact your web hosting provider and confirm they have applied the cPanel patch. Reputable managed hosting providers should be able to confirm patch status within hours. If they cannot confirm, consider the platform at risk until they do.

  3. Within 24 hours: Review web server access logs and cPanel/WHM login logs from April 24–30, 2026. Look for administrative sessions or account changes that do not correspond to known activity by your team.

  4. Within 48 hours: Audit all websites, email configurations, and database contents hosted on affected platforms for signs of tampering — modified web pages, new administrative user accounts, changed DNS records, or unexpected email forwarding rules.

  5. Within one week: Rotate all credentials associated with the hosting platform: cPanel and WHM administrative passwords, FTP and SFTP credentials, database passwords, and any API keys stored in application configuration files on hosted websites.

  6. Ongoing: Implement IP-based access restrictions for WHM administrative access and require multi-factor authentication for all cPanel and WHM logins where supported.