cPanel & WHM
Dominant shared-hosting control panel; CVE-2026-41940 ran unpatched 65 days while ransomware hit servers.
Last refreshed: 8 May 2026 · Appears in 1 active topic
How many customer websites were exposed when ransomware operators spent 65 days inside unpatched cPanel servers?
Timeline for cPanel & WHM
Found to contain CVE-2026-41940 exploitable since 23 February across ~1.5m exposed instances
Cybersecurity: Threats and Defences: cPanel zero-day ran 65 days before patch; Sorry ransomware active- Is my cPanel server safe from CVE-2026-41940?
- WebPros shipped the emergency patch on 28 April 2026. Any cPanel & WHM installation not updated to the patched version remains vulnerable to unauthenticated session hijacking to root (CVSS 9.8). Check the WebPros security advisory for affected version numbers.Source: WebPros / CISA
- What is CVE-2026-41940 in cPanel and how does it work?
- CVE-2026-41940 is a CRLF injection vulnerability in cPanel's login daemon (cpsrvd). An unauthenticated attacker can manipulate HTTP headers to hijack sessions and escalate to root on the hosting server, affecting all sites hosted on that machine.Source: WatchTowr Labs / CISA
- How many sites were affected by the cPanel zero-day?
- Rapid7 identified approximately 1.5 million internet-facing cPanel instances. Each server can host dozens to hundreds of customer websites, making the potential number of affected sites orders of magnitude higher.Source: Rapid7 / Shodan
Background
cPanel & WHM is the dominant control panel software for shared web hosting, managing site files, databases, email, and DNS for millions of hosted websites globally. In April 2026, WatchTowr Labs disclosed CVE-2026-41940 — a CVSS 9.8 CRLF injection vulnerability in the cPanel login daemon (cpsrvd) — that allowed unauthenticated session hijacking to root. Parent company WebPros shipped an emergency patch on 28 April 2026, but KnownHost telemetry confirmed exploitation had been running since 23 February, a 65-day zero-day window. CISA added the flaw to KEV on 30 April.
Rapid7's internet scanning identified approximately 1.5 million internet-exposed cPanel instances, establishing the potential blast radius. 'Sorry' ransomware deployed Go-language Linux encryptors on compromised hosting servers during the unpatched window. The volume of affected sites is structurally large because shared hosting by definition places many customer websites on a single server; a root compromise of one cPanel host can expose all tenants on that server.
WebPros acquired cPanel in 2019. cPanel & WHM's market dominance — it is estimated to power the majority of shared-hosting environments globally — makes critical vulnerabilities in the platform an annual risk event. The 65-day gap between first exploitation and patch availability in this incident is among the longest recorded for a CVSS 9+ hosting control panel vulnerability.