Exploit Cyber-Frenzy Threatens Millions via cPanel Vulnerability TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityHackers Use AI for Exploit Development, Attack AutomationHackers Use AI for Exploit Development, Attack AutomationbyAlexander CulafiMay 11, 20264 Min ReadСloud SecurityAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsbyNate NelsonMay 7, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryThreat IntelligenceApplication SecurityCyberattacks & Data BreachesVulnerabilities & ThreatsNewsExploit Cyber-Frenzy Threatens Millions via Critical cPanel VulnerabilityShortly after the authentication-bypass flaw was disclosed multiple proof-of-concept exploits appeared, and one researcher claims there's been zero-day activity for at least a month.Rob Wright,Senior News Director,Dark ReadingMay 4, 20265 Min ReadSource: IB Photography via Alamy Stock PhotoA critical authentication bypass flaw in cPanel software products has come under heavy exploitation from a variety of threat actors shortly after public disclosure, putting millions of websites at risk via tens of thousands of compromised instances.On April 28, the software vendor, which specializes in Web hosting control-panel software, issued a security update to address a vulnerability affecting all supported versions of cPanel, WebHost Manager (WHM), and WP Squared products. On April 29, the flaw was identified as CVE-2026-41940 and assigned a critical CVSS score of 9.8. On the same day, WatchTowr Labs published a proof-of-concept (PoC) exploit and a technical analysis of the vulnerability, which researchers described as a "disaster" flaw that allows attackers to gain administrative access and take over servers and hosted websites.The plot thickened considerably when KnownHost, which offers managed cPanel hosting, flagged CVE-2026-41940 as a zero-day vulnerability, with approximately 30 servers showing signs of attempted exploitation. In follow-up posts on Reddit, KnownHost CEO Daniel Pearson confirmed the vulnerability had been exploited for "at least for the last 30 days," with signs of attempts as far back as Feb. 23.Related:From Stuxnet to ChatGPT: 20 News Events That Shaped CyberMeanwhile, Internet scanning from Censys showed the cPanel flaw came under attack from multiple threat actors within 24 hours of disclosure, illustrating once again that security teams these days have little time to patch critical flaws before exploitation begins. Fast Exploitation for CVE-2026-41940 Censys said its scans revealed approximately 15,000 potentially compromised instances within the first 24 hours following disclosure. Some of the attacks deployed Mirai botnet variants, while most vulnerable instances were hit with a ransomware that encrypts and appends files with a ".sorry" extension. One victim, Yousef Alsahijan, confirmed his server was hit with both botnet malware and the "sorry" ransomware in what he described as a "highly organized, multistage operation" rather than a random, opportunistic attack. "The entire attack chain from initial access to full encryption happened within minutes," Alsahijan wrote on LinkedIn. "No credentials were needed. 2FA [two-factor authentication] did not help."The exploitation activity has increased in recent days, according to Simo Kohonen, founder and CEO of cybersecurity vendor Defused. "We've seen almost 1,000 exploit attempts since the vulnerability dropped with wide geographical and ASN variance," Kohonen tells Dark Reading. "Given that our honeypots represent a small surface area of the 800k+ cPanel instances indexing sites like Shodan lists, it's safe to say exploitation is extremely heavy at the moment."Related:Vect 2.0 Ransomware Acts as Wiper, Thanks to Design ErrorExperts say several factors contributed to the rapid exploitation of CVE-2026-41940. Sıla Özeren Hacıoğlu, associate security research engineer at Picus Security, says, for starters, the vulnerability was known to at least some attackers prior to disclosure. "KnownHost confirmed in-the-wild exploitation was ongoing against the cPanel/WHM management plane, so attackers weren't starting from scratch on disclosure day," she says. "They were already tooled up."Furthermore, Hacıoğlu notes that the differences between vulnerable versions and cPanel's patches were "quite small and pointed," amounting to just three files with some key changes that become obvious during patch diffing. "That kind of surgical patch is essentially a road map [for attackers]," she says. "Once the WatchTowr write-up landed with the full chain explained, weaponization for anyone who hadn't already figured it out was a short hop."Kohonen says a large portion of the exploitation activity observed by Defused has copied WatchTowr's PoC exploit exactly, thus "the initial wave of activity was quite likely driven by it." But he notes other PoC exploits dropped around the same time and have shown up in Defused honeypots, including one called "cPanel Sniper."Related:Feuding Ransomware Groups Leak Each Other's DataOther issues contributed to the wave of attacks against the authentication bypass flaw. Hacıoğlu says cPanel's initial advisory was "notably terse," and merely described the flaw as "an issue with session loading and saving." Such descriptions don't slow down attackers, she says, because they can patch diff, but they can slow down defenders that are trying to assess risk and prioritize patching. "Add to that the fact that the vulnerability hits all currently supported versions, runs on a management interface typically exposed on port 2087, and lands on infrastructure powering around 70 million domains, and you have an unusually large, uniform, reachable attack surface," she says.Time is Not on Defenders' SideCVE-2026-41940 is the latest example of a critical vulnerability that came under heavy exploitation in a matter of hours, rather than days or weeks. Hacıoğlu says this is part of a larger, consistent trend where security teams have about a 24- to 48-hour window to patch critical bugs in widely-deployed edge or management software before attacks begin."Patch diffing has been industrialized, with mature toolchains for binary and source diffing, and several research groups now publish detailed technical breakdowns within days," she says. "Mass scanning infrastructure is also cheap and ambient now, so once a working PoC exists, untargeted exploitation across the entire IPv4 space is a matter of hours."Additionally, Hacıoğlu says edge devices and management panels have been attractive targets for threat actors in the past because they're internet-facing products with typically large install bases, and "patching cycles in shared hosting and enterprise environments are often slow."But organizations can't afford to be slow with CVE-2026-41940, given the widespread attacks and types of threats converging on the flaw. In a blog post on Friday, Hacıoğlu warned that the vulnerability was wormable, and that "mass scripted exploitation against the ~1.5M exposed instances is feasible."Picus Security urged customers to upgrade to fixed versions immediately and to rotate credentials, including root-level account and WHM reseller passwords, API tokens, and SSH keys stored in WHM-managed accounts. Additionally, security teams should purge cPanel sessions and hunt for signs of persistence, such as custom WHM hooks.Lastly, if organizations cannot immediately patch their cPanel software, Picus Security recommends blocking inbound traffic to inbound TCP/2083, TCP/2087, TCP/2095, TCP/2096, which Hacıoğlu noted was what several major hosting providers have done for a temporary mitigation. Don't miss the latest Dark Reading Confidential podcast, NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later, for a candid conversation with Chris Inglis, head civilian in charge of the NSA during the Edward Snowden affair. Inglis reflects what the NSA should have done better, what he wants CISOs to know about protecting against their own insider threats, and what his reaction would be if Snowden received a pardon. Listen now!About the AuthorRob WrightSenior News Director, Dark ReadingRob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. See more from Rob WrightWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouHow Well Can You See What's in Your Cloud?Implementing CTEM: Beyond Vulnerability ManagementMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETHow Well Can You See What's in Your Cloud?Thurs, June 4, 2026 at 1:00pm ESTImplementing CTEM: Beyond Vulnerability ManagementThurs, May 21, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

The rapid exploitation of a critical authentication bypass vulnerability, CVE-2026-41940, within cPanel software products represents a significant and concerning cyber-security event. Shortly after its public disclosure by WatchTowr Labs, a variety of threat actors initiated widespread attacks, with approximately 15,000 compromised instances detected within 24 hours by Censys. This swift response underscores the potential for immediate damage when vulnerabilities are exposed and leveraged. The vulnerability, as described by Rob Wright of Dark Reading, allows for administrative access and server takeover, leading to the deployment of ransomware (often appending files with a ".sorry" extension) and Mirai botnet variants. Initial investigations, including those conducted by KnownHost, revealed exploitation dating back as far as February 23rd, highlighting the extended window of opportunity for attackers.

The initial terse advisory from cPanel regarding the flaw, focusing solely on session loading issues, exacerbated the situation, delaying critical patching efforts and providing attackers with a roadmap for weaponization. The technical analysis produced by WatchTowr Labs, detailing the specific file changes and patching differences, further accelerated the exploitation process. Simo Kohonen of Defused reported nearly 1,000 exploit attempts within a short period, emphasizing the widespread nature of the attack and varying geographical locations and ASNs involved. The fact that many attackers mirrored WatchTowr’s PoC exploit suggests a rapid dissemination of information and attack strategies. The vulnerability’s reach – impacting approximately 70 million domains – and its susceptibility to wormable exploitation, as warned by Picus Security, amplify the potential impact. Experts like Sıla Özeren Hacıoğlu noted the vulnerability’s attractiveness due to its internet-facing nature, a historical target for malicious actors, and the ease with which the patch diff could be utilized. The relatively short timeframe – 24 to 48 hours – between disclosure and significant exploitation activity aligns with a concerning trend of increasingly rapid attack chains following vulnerability announcements. The confluence of factors—early disclosure, a small, targeted patch, a readily available PoC, and a large attack surface—contributed to the “cyber-frenzy” that threatened millions of websites. Recommendations for mitigation include immediate patching, credential rotation, and the implementation of temporary mitigation strategies such as blocking inbound traffic to relevant ports, illustrating the urgency of response when faced with a high-impact vulnerability.