External risk intelligence
cPanel and WHM could allow external attackers to gain administrative control
cPanel, WHM, and WP2 software could allow external attackers to bypass authentication and gain admin access to control panels. This vulnerability is subject to active, mass exploitation in ransomware campaigns, potentially leading to the compromise of critical operational systems and business services.
CVE-2026-41940
Exposure facts
H – Horizon Alert
A security vulnerability has been identified within cPanel, WHM, and WP2 software that impacts the system's login process. This flaw allows an unauthorized remote user to bypass authentication and gain direct access to the control panel. This is a significant business concern as it could enable an attacker to interact with your systems without requiring valid credentials.
A – Asset Exposure
The cPanel & WHM and WP2 (WordPress Squared) platforms are impacted by a security flaw within their login processes. These management consoles are often accessible over the network—and in many cases the public internet—potentially allowing external attackers to bypass authentication and gain unauthorized admin access. This exposure could compromise the integrity of operational systems and the management of critical services hosted on these platforms.
L – Live Threat
There is confirmed evidence of active, mass exploitation involving this vulnerability, including its documented use in known ransomware campaigns. Security researchers have publicly released proof-of-concept exploit code, and this issue is actively tracked in the CISA Known Exploited Vulnerabilities catalog. Consequently, there is a high likelihood of impact from this ongoing threat.
O – Operational Fix
Please direct your technical teams to immediately apply the latest security mitigations and updates as provided in the official vendor documentation. If your organization utilizes cloud-based instances, ensure compliance with established operational security guidance for these services. Finally, please validate that all affected systems have successfully implemented these updates to restore secure operations.
References
- https://docs.cpanel.net/release-notes/release-notes
- https://docs.wpsquared.com/changelogs/versions/changelog/#13617
- https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026
- https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026
- https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow
- https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/
- https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/
- https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940