CRITICAL BUG IN CPANEL, WHM EXPLOITED SINCE FEBRUARY
SECURITY DESK■ 2 MIN READ
SAT, MAY 2, 2026■ AI-SUMMARIZED FROM 1 SOURCE BELOW
A critical vulnerability in cPanel, WHM, and WP Squared software has been actively exploited since February. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) assigned a 9.8 CVSS severity score and ordered federal agencies to patch by May 3.
The vulnerability affects three widely-used server and website management platforms, creating significant risk for government infrastructure. CISA's mandatory patching deadline of May 3 underscores the severity of the threat.
CPAN and WHM are among the most common control panel solutions for web hosting providers and server administrators. The vulnerability's high CVSS score of 9.8 indicates near-maximum severity, suggesting attackers could gain elevated access or control systems with minimal effort.
The fact that exploitation has been documented since February raises concerns about the scope of potential compromises. Organizations running affected versions may have already been targeted, making immediate patching critical for both federal agencies and private sector users.
WP Squared, a WordPress management platform, rounds out the affected software trio. Users of all three applications should prioritize security updates regardless of sector, as the vulnerability's accessibility to threat actors makes widespread exploitation likely.
CISA's involvement and firm deadline for federal agencies signals this is not a routine patch. The agency typically implements mandatory timelines only for vulnerabilities that pose existential risk to critical infrastructure. Private sector organizations should treat this with equal urgency, particularly those managing sensitive data or customer-facing services.
The incident reinforces ongoing challenges in vulnerability disclosure and patch deployment. The gap between initial exploitation and public awareness appears to have been several months, potentially allowing attackers extended access before systems were secured.
Administrators should treat the May 3 deadline as a minimum requirement rather than a target, implementing patches immediately upon availability. Organizations should also conduct forensic reviews of system logs dating back to February to identify potential unauthorized access.
Detailed technical guidance and patches should be forthcoming from vendor advisories and CISA's guidance channels.
■ SOURCES
► Techmeme■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE
■ MORE FROM THE SECURITY DESK
Police departments have used automated license plate reader (ALPR) technology at least 14 times to track individuals for personal reasons unrelated to law enforcement, according to a report from the Institute for Justice.
8H AGO— Industry Desk
Canvas learning platform provider Instructure has disclosed a recent cybersecurity incident and is investigating the scope of the breach. The company has not yet detailed what data may have been compromised.
8H AGO— Security Desk
Security researchers have identified a brute force vulnerability affecting credit card systems. The attack method allows adversaries to systematically test card numbers and credentials.
10H AGO— Industry Desk
A technique called the Gay Jailbreak has emerged on GitHub, prompting discussion in developer communities about AI safety and prompt injection vulnerabilities.
11H AGO— AI Desk