A critical authentication bypass vulnerability in cPanel, WHM, and WP Squared is being actively exploited in the wild since late February. A proof-of-concept is now publicly available.
The Vulnerability
CVE-2026-41940 is a critical authentication bypass flaw affecting cPanel, WHM, and WP Squared. The vulnerability allows attackers to circumvent authentication mechanisms, potentially granting unauthorized access to hosting control panels and administrative functions.
Active Exploitation
Security researchers have confirmed active exploitation attempts dating back to late February. The release of a public proof-of-concept has significantly expanded the attack surface, enabling a broader range of threat actors to leverage the flaw.
Risk Assessment
The combination of a critical severity rating and public exploit code creates an urgent threat landscape. Organizations running affected versions face elevated risk of unauthorized access, data breaches, and potential lateral movement within hosting infrastructure.
Affected Systems
The vulnerability impacts multiple cPanel and WHM versions. WP Squared installations are also vulnerable. Administrators should immediately identify and inventory affected systems across their infrastructure.
Recommended Actions
Organizations should prioritize patching to the latest available versions. Interim mitigations may include restricting access to administrative interfaces, monitoring authentication logs for suspicious activity, and implementing network-level controls on management ports.
Timeline
While initial exploitation attempts occurred in late February, the public release of proof-of-concept code has accelerated the threat timeline. The window for remediation has narrowed considerably.
cPanel and WHM administrators should treat this as a critical priority and coordinate patching across their infrastructure immediately. The availability of public exploit code means this vulnerability will likely see widespread exploitation efforts in the coming days.
Partnered Health, one of Australia's largest healthcare providers, has disclosed a cyber-attack affecting 21 clinics across Sydney, Melbourne, and Canberra. Personal information and medical records were compromised in the breach.
Security firm Intruder has developed an AI-powered system that automatically identifies previously unknown software vulnerabilities by combining code analysis with large language models. The tool already discovered and exploited a WordPress plugin zero-day.
U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.