A major security alert has been issued for cPanel & WHM after researchers uncovered critical vulnerabilities that could allow attackers to gain unauthorized administrative access to hosting servers. Security experts warn that the flaws are already being actively exploited in the wild, placing millions of websites at risk.

The most severe issue, tracked as CVE-2026-41940, affects multiple authentication paths in cPanel and WHM environments and carries a near-maximum CVSS severity score of 9.8. Hosting providers, enterprises, developers, and website administrators are strongly advised to apply emergency patches immediately to avoid potential compromise.

## Critical Vulnerability Exposes Hosting Infrastructure

According to security advisories released by cPanel and cybersecurity agencies, the vulnerability allows unauthenticated remote attackers to bypass login protections and gain privileged access to servers running vulnerable versions of cPanel and WHM.

Because cPanel powers a significant portion of the global web hosting industry, the impact could be enormous. Security researchers estimate that more than 1.5 million internet-facing cPanel instances may be exposed.

The flaw affects:

• ▸cPanel & WHM
• ▸DNSOnly installations
• ▸WordPress Squared (WP2)

Researchers say attackers can exploit weaknesses in session handling and authentication mechanisms to create forged administrative sessions without valid credentials. Once successful, threat actors could:

• ▸Take over hosting servers
• ▸Access website databases
• ▸Modify or delete website files
• ▸Deploy ransomware or malware
• ▸Steal credentials and customer data
• ▸Create persistent backdoors

Cybersecurity analysts describe the vulnerability as one of the most serious hosting infrastructure flaws disclosed this year.

## Active Exploitation Confirmed

Multiple cybersecurity organizations have confirmed active exploitation attempts targeting vulnerable systems. Government agencies in Singapore, Australia, Canada, and Belgium have all released warnings urging organizations to update immediately.

Security researchers believe exploitation may have started months before public disclosure. Reports indicate some attackers had already weaponized the vulnerability before patches became available.

Researchers from watchTowr Labs explained that the vulnerability can be exploited by manipulating session data using CRLF injection techniques to bypass authentication controls and escalate privileges.

Some hosting providers reportedly restricted access to cPanel and WHM ports temporarily until patches could be deployed to customer systems.

## Patched Versions Released

cPanel has already issued emergency security updates addressing the vulnerabilities. Administrators should immediately upgrade to the latest patched releases.

The fixed versions include:

• ▸11.110.0.97
• ▸11.118.0.63
• ▸11.126.0.54
• ▸11.130.0.18
• ▸11.132.0.29
• ▸11.134.0.20
• ▸11.136.0.5

WP Squared users should upgrade to version 136.1.7.

Security experts also warn that unsupported or end-of-life versions remain permanently vulnerable because they no longer receive security updates.

## Why This Vulnerability Is So Dangerous

The vulnerability is particularly dangerous because it requires:

• ▸No authentication
• ▸No user interaction
• ▸No prior access to the system

This means attackers can potentially compromise exposed systems remotely over the internet with minimal effort.

Because WHM controls multiple hosting accounts on a server, a successful compromise could affect hundreds or even thousands of websites simultaneously.

Cybersecurity experts warn that compromised servers could be used for:

• ▸Phishing campaigns
• ▸Malware hosting
• ▸Data theft
• ▸Supply chain attacks
• ▸Cryptocurrency mining
• ▸Botnet operations

Hosting providers and managed service providers (MSPs) are considered especially high-risk targets due to the scale of access attackers can gain.

## Security Agencies Issue Patch-Now Warnings

Several national cybersecurity agencies have issued urgent advisories regarding the vulnerability.

The Australian Cyber Security Centre confirmed that attackers are actively exploiting the flaw and warned organizations to patch immediately.

Singapore’s Cyber Security Agency also advised all users and administrators to update affected systems without delay.

Meanwhile, the vulnerability has reportedly been added to known exploited vulnerability catalogs due to confirmed malicious activity in the wild.

## Recommended Mitigation Steps

Security professionals recommend the following immediate actions:

1. Apply Updates Immediately

Upgrade all affected cPanel, WHM, and WP2 installations to patched versions.

2. Rotate Credentials

Reset:

• ▸Administrator passwords
• ▸API tokens
• ▸SSH keys
• ▸Database credentials

3. Audit Logs

Review authentication and session logs for suspicious activity or unauthorized access attempts.

4. Restrict Access

Limit exposure of WHM and cPanel interfaces using:

• ▸VPN access
• ▸IP allowlists
• ▸Firewall restrictions

5. Enable Multi-Factor Authentication

MFA can help reduce risk from stolen credentials after compromise.

6. Monitor for Indicators of Compromise

Watch for:

• ▸Unknown admin accounts
• ▸Unauthorized cron jobs
• ▸Suspicious processes
• ▸Modified configuration files

## Hosting Industry Faces Massive Security Challenge

The incident highlights the growing cybersecurity risks facing hosting providers and infrastructure management platforms. Since cPanel is widely used across shared hosting environments, vulnerabilities in the platform can quickly become internet-wide security emergencies.

Security analysts warn that attackers are increasingly targeting hosting infrastructure because compromising a single server can provide access to thousands of websites and customer accounts simultaneously.

Organizations running publicly exposed hosting environments should treat this vulnerability as a top-priority security incident.

## Final Thoughts

The newly disclosed cPanel and WHM vulnerabilities represent a critical threat to web hosting infrastructure worldwide. With active exploitation already confirmed and millions of servers potentially exposed, administrators cannot afford to delay patching.

Applying updates immediately, reviewing logs for suspicious activity, and strengthening server security controls are essential steps to reduce the risk of compromise.

As attackers continue scanning the internet for vulnerable systems, unpatched cPanel and WHM servers remain highly attractive targets for cybercriminals.