The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered all federal agencies to patch a critical security vulnerability, CVE-2026-41940, affecting critical servers and website management systems by May 3. The vulnerability exists in cPanel & WHM products owned by WebPros International. This Linux-based website hosting control panel is widely used to manage websites and servers. Millions of domain names around the world rely on related solutions to run.
Security firm Rapid7's incident response team said that a successful exploit could allow an attacker to take complete control of the system hosting cPanel, its configuration, databases and hosted websites. The flaw has a CVSS risk score of 9.8 out of 10. Experts warn that hackers can use this to completely compromise servers, steal or tamper with hosted data, and may trigger more serious chain reactions such as large-scale service interruptions.
Several cybersecurity companies have pointed out that there are thousands of cPanel instances currently exposed on the Internet that may be affected by this vulnerability. CISA confirmed on Thursday that the vulnerability is being exploited in the wild. In addition to releasing fixes, cPanel has also launched a tool to help businesses detect whether their environments have been compromised.
The flaw was first disclosed this week by experts at cybersecurity firm watchTowr, who also released tools for defenders to identify at-risk hosts within their assets. Other agencies subsequently disclosed evidence showing that related attacks had begun as early as February this year.
US domain name registrar Namecheap issued a notice this week to remind customers that the measures it has taken to address the vulnerability may restrict user access to cPanel and WHM management interfaces for a period of time. WatchTowr CEO Benjamin Harris said that within hours of cPanel's initial security advisory, nearly every major hosting provider implemented firewall measures to block their customers from their products.
"Hosting.com, Namecheap, KnownHost, HostPapa, InMotion, all of them are slamming on the emergency brake because the alternative is to watch their entire customer base be taken over in a live attack," Harris said. He added that it feels like "half the Internet is on fire" and that this "new normal" is likely to occur more and more frequently as AI becomes more widely used in vulnerability hunting.