INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
U.S. CISA Adds Known Exploited Vulnerability to Catalog
| 2026-05-03 14:39 CRITICAL HIGHExecutive Summary AI-generated
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a flaw in WebPros cPanel to its Known Exploited Vulnerabilities catalog, which affects all supported versions of the software. The vulnerability, tracked as CVE-2026-41940, carries a near-worst-case CVSS score of 9.8 and is attributed to an unknown entity. This incident marks one of several recent examples of in-the-wild exploitation against cPanel, with thousands of instances potentially exposed. As a result, CISA has issued a directive for federal agencies to fix the vulnerability by May 3, 2026.
Technical Mitigations AI-generated
* Implement secure login mechanisms: Ensure that all users have strong, unique passwords and use multi-factor authentication whenever possible. This can help prevent attackers from gaining unauthorized access to the cPanel or WHM.
* Regularly update and patch software: Keep your hosting stack up-to-date with the latest security patches, including Microsoft Defender for WebPros cPanel. Regular updates can help fix known vulnerabilities before they are exploited by attackers.
* Use a web application firewall (WAF): Consider installing a WAF like ModSecurity or OWASP ZAP to detect and prevent common web attacks, such as SQL injection and cross-site scripting (XSS).
* Implement rate limiting: Limit the number of login attempts from each IP address within a certain time frame. This can help prevent attackers from exploiting multiple accounts by trying different combinations of credentials.
* Monitor for suspicious activity: Regularly monitor your hosting stack's logs and system performance to detect any unusual activity that may indicate an attack in progress.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-41940CVE-2026-41940
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
Incident Timeline
late February 2026
Threat actors exploited a critical cPanel vulnerability to target and patch hosting providers including KnownHost and HostGator.
Click on any entity below to view its context and source!
organisation
KnownHost
Hosting providers including
Namecheap
, HostGator, and KnownHost temporarily blocked access to cPanel interfaces while patching, treating this as a critical authentication bypass and reporting exploit attempts going back to late February 2026.
organisation
HostGator
Hosting providers including
Namecheap
, HostGator, and KnownHost temporarily blocked access to cPanel interfaces while patching, treating this as a critical authentication bypass and reporting exploit attempts going back to late February 2026.
April 28, 2026
The cPanel release of patches on April 28, 2026, was prompted by a critical vulnerability in the software.
May 3, 2026
Threat actors exploited a critical cPanel vulnerability to gain unauthorized access and compromise millions of websites.
2026/05/03
The attackers used a critical cPanel vuln to target millions of sites.
Click on any entity below to view its context and source!
infrastructure
11.40
“Therefore, we’re releasing our
Detection Artifact Generator
to enable defenders to identify vulnerable hosts in their estates.”
CVE-2026-41940 is an authentication bypass flaw affecting cPanel and WHM versions after 11.40.
The vulnerability, tracked as
CVE-2026-41940
, carries a near-worst-case CVSS score of 9.8 and affects all supported versions of cPanel and Web[Host Manager (WHM) released after version 11.40, along with WP Squared, a WordPress management layer built on top of the same platform.
It said all supported versions after 11.40 are affected, including DNSOnly and WP Squared.
organisation
WHM
“Therefore, we’re releasing our
Detection Artifact Generator
to enable defenders to identify vulnerable hosts in their estates.”
CVE-2026-41940 is an authentication bypass flaw affecting cPanel and WHM versions after 11.40.
The vulnerability, tracked as
CVE-2026-41940
, carries a near-worst-case CVSS score of 9.8 and affects all supported versions of cPanel and Web[Host Manager (WHM) released after version 11.40, along with WP Squared, a WordPress management layer built on top of the same platform.
Security researchers are
warning
about a newly discovered vulnerability in the widely used web server management software cPanel and WebHost Manager (WHM).
infrastructure
9.8
The vulnerability, tracked as
CVE-2026-41940
, carries a near-worst-case CVSS score of 9.8 and affects all supported versions of cPanel and Web[Host Manager (WHM) released after version 11.40, along with WP Squared, a WordPress management layer built on top of the same platform.
organisation
CVSS
The vulnerability, tracked as
CVE-2026-41940
, carries a near-worst-case CVSS score of 9.8 and affects all supported versions of cPanel and Web[Host Manager (WHM) released after version 11.40, along with WP Squared, a WordPress management layer built on top of the same platform.
organisation
WP Squared
The vulnerability, tracked as
CVE-2026-41940
, carries a near-worst-case CVSS score of 9.8 and affects all supported versions of cPanel and Web[Host Manager (WHM) released after version 11.40, along with WP Squared, a WordPress management layer built on top of the same platform.
It said all supported versions after 11.40 are affected, including DNSOnly and WP Squared.
organisation
WordPress
The vulnerability, tracked as
CVE-2026-41940
, carries a near-worst-case CVSS score of 9.8 and affects all supported versions of cPanel and Web[Host Manager (WHM) released after version 11.40, along with WP Squared, a WordPress management layer built on top of the same platform.
organisation
WebHost
Security researchers are
warning
about a newly discovered vulnerability in the widely used web server management software cPanel and WebHost Manager (WHM).
organisation
cPanel
cPanel
is a widely used web hosting control panel that lets users manage websites and servers through a graphical interface instead of command-line tools.
First reports come in of victims of critical cPanel vuln as 'millions' of sites potentially exposed.
Actively exploited cPanel bug exposes millions of websites to takeover.
organisation
KnownHost
“As we stated above, in-the-wild exploitation has already begun, according to KnownHost.”
Hosting provider KnownHost has been more explicit about what that looked like in practice, warning customers it had seen successful exploitation attempts before any fix was available.
organisation
the Shadowserver Foundation
According to the Shadowserver Foundation, thousands of instances may be exposed.
financial
$7,000 attackers
The attackers, they said, demanded $7,000 to unlock systems.
organisation
cPanel/WHM
This is a critical, actively exploited authentication-bypass bug in cPanel/WHM that lets attackers gain administrative access to the interface without credentials, potentially take over servers and all hosted sites.
organisation
multi‑account
When one site is compromised, having the same credentials in several places turns it into a multi‑account takeover problem.
organisation
FIDO2
If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor.
organisation
Digital Footprint
Use Malwarebytes’ free
Digital Footprint scan
to see whether your personal information has been exposed online.
Tactical Metrics
Metrics
infrastructure
11.40
Software Version
Click for context!
“Therefore, we’re releasing our
Detection Artifact Generator
to enable defenders to identify vulnerable hosts in their estates.”
CVE-2026-41940 is an authentication bypass flaw affecting cPanel and WHM versions after 11.40.
The vulnerability, tracked as
CVE-2026-41940
, carries a near-worst-case CVSS score of 9.8 and affects all supported versions of cPanel and Web[Host Manager (WHM) released after version 11.40, along with WP Squared, a WordPress management layer built on top of the same platform.
It said all supported versions after 11.40 are affected, including DNSOnly and WP Squared.
Metrics
infrastructure
9.8
Software Version
The vulnerability, tracked as
CVE-2026-41940
, carries a near-worst-case CVSS score of 9.8 and affects all supported versions of cPanel and Web[Host Manager (WHM) released after version 11.40, along with WP Squared, a WordPress management layer built on top of the same platform.
Metrics
financial
7,000
Attackers
The attackers, they said, demanded $7,000 to unlock systems.
Intelligence Sources
Malware Bytes
2026-05-01
The Register - Cybercrime
2026-05-01
First reports come in of victims of critical cPanel vuln as 'millions' of sites potentially exposed
The Register - Cybercrime
Security Affairs
2026-05-03
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-05-04T10:30
Comprehensive Tactical Telemetry
Highly Correlated Entities
13x
organisation
Identified Entity
WHM
entity
8x
attribution
Attributing Entity
SecurityAffairs
authority
4x
timeline
Temporal Reference
May 3, 2026
date
4x
tactic
Cyber Operation Type
Ransomware
tactic
3x
tactic
MITRE ATT&CK Technique
T1588.006 - Vulnerabilities
technique
2x
vulnerability
CVSS Score
9
score
2x
infrastructure
Software Version
11.40
version
Contextual Telemetry
Context Block
5 METRICS
target region
Target Country
United States
country
vulnerability
Exploited CVE
CVE-2026-41940
cve
general metric
Version
11
version
financial
Attackers
7,000
attackers
general metric
Exposed Cpanel Instances
1,500,000
exposed cpanel instances
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.