WebPros
Parent company of cPanel & WHM; shipped emergency patch for CVE-2026-41940 on 28 April 2026.
Last refreshed: 8 May 2026 · Appears in 1 active topic
How did a CVE-9.8 cPanel flaw go 65 days unpatched while ransomware operators exploited it?
Timeline for WebPros
Shipped emergency patch for CVE-2026-41940 on 28 April after 65-day exploitation window
Cybersecurity: Threats and Defences: cPanel zero-day ran 65 days before patch; Sorry ransomware active- Is my cPanel server still at risk from CVE-2026-41940?
- WebPros shipped a patch on 28 April 2026. Servers running unpatched cPanel & WHM versions are still at risk. Rapid7 found approximately 1.5 million internet-exposed cPanel instances; operators should confirm they have applied the emergency update.Source: WebPros / Rapid7
- Why did WebPros take 65 days to patch the cPanel zero-day?
- WebPros has not publicly explained the timeline. KnownHost telemetry shows exploitation began on 23 February 2026; WatchTowr Labs disclosed CVE-2026-41940 publicly and WebPros shipped the emergency patch on 28 April — 65 days after the first known exploitation.Source: KnownHost / WatchTowr Labs
- What is WebPros and what software does it make?
- WebPros is the Luxembourg-based parent company of cPanel & WHM and Plesk, the two dominant control panel platforms for shared web hosting. It acquired cPanel in 2019.
Background
WebPros is the parent company of cPanel & WHM, the dominant shared-hosting control panel software used by an estimated 1.5 million publicly internet-exposed servers. On 28 April 2026, WebPros shipped an emergency patch for CVE-2026-41940, a CVSS 9.8 CRLF injection vulnerability in cPanel's login daemon (cpsrvd) that allowed unauthenticated session hijacking to root. The patch came 65 days after KnownHost telemetry confirmed exploitation had begun on 23 February 2026, meaning the zero-day window ran unpatched through nearly the entire spring hosting season.
WebPros acquired cPanel in 2019, combining it with its Plesk control panel brand to create the dominant player in shared-hosting management software. The company is headquartered in Luxembourg, though cPanel's development has historically been US-based. WebPros' products serve hosting providers who collectively host millions of customer websites, making any critical vulnerability in the shared stack a high-amplification risk.
The 65-day zero-day window and subsequent 'Sorry' ransomware activity raise questions about WebPros' internal security process and vulnerability disclosure practices. CISA added CVE-2026-41940 to KEV on 30 April — two days after the patch — indicating exploitation was already widespread when the fix shipped.