
cPanel & WHM
Dominant shared-hosting control panel; CVE-2026-41940 ran unpatched 65 days while ransomware hit servers.
Last refreshed: 8 May 2026 · Appears in 1 active topic
How many customer websites were exposed when ransomware operators spent 65 days inside unpatched cPanel servers?
Timeline for cPanel & WHM
Found to contain CVE-2026-41940 exploitable since 23 February across ~1.5m exposed instances
Cybersecurity: Threats and Defences: cPanel zero-day ran 65 days before patch; Sorry ransomware activeIs my cPanel server safe from CVE-2026-41940?
What is CVE-2026-41940 in cPanel and how does it work?
How many sites were affected by the cPanel zero-day?
Background
cPanel & WHM is the dominant control panel software for shared web hosting, managing site files, databases, email, and DNS for millions of hosted websites globally. In April 2026, WatchTowr Labs disclosed CVE-2026-41940 — a CVSS 9.8 CRLF injection vulnerability in the cPanel login daemon (cpsrvd) — that allowed unauthenticated session hijacking to root. Parent company WebPros shipped an emergency patch on 28 April 2026, but KnownHost telemetry confirmed exploitation had been running since 23 February, a 65-day zero-day window. CISA added the flaw to KEV on 30 April.
Rapid7's internet scanning identified approximately 1.5 million internet-exposed cPanel instances, establishing the potential blast radius. 'Sorry' ransomware deployed Go-language Linux encryptors on compromised hosting servers during the unpatched window. The volume of affected sites is structurally large because shared hosting by definition places many customer websites on a single server; a root compromise of one cPanel host can expose all tenants on that server.
WebPros acquired cPanel in 2019. cPanel & WHM's market dominance — it is estimated to power the majority of shared-hosting environments globally — makes critical vulnerabilities in the platform an annual risk event. The 65-day gap between first exploitation and patch availability in this incident is among the longest recorded for a CVSS 9+ hosting control panel vulnerability.