CISA Warns: cPanel & WHM Vulner Vulnerability Exploited

An urgent warning from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlights a critical security flaw impacting widely used web hosting management platforms.

CISA recently added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, indicating that threat actors are actively abusing it in real-world attacks.

Tracked as CVE-2026-41940, the defect targets WebPros cPanel & WHM (WebHost Manager) as well as WP2 (WordPress Squared).

Understanding the Authentication Bypass Flaw

CVE-2026-41940 is officially classified as a “Missing Authentication for Critical Function” vulnerability, mapped to the weakness identifier CWE-306.

The security gap exists directly within the login flow of the affected products.

Because the software fails to properly verify user identities during the authentication process, unauthenticated remote attackers can bypass security checks completely.

This means a cybercriminal does not need valid usernames or passwords to break in.

Instead, they can exploit the login mechanism to instantly gain unauthorized administrative access to the hosting control panel.

WebPros cPanel & WHM is a popular suite that simplifies website and server management, while WP2 provides streamlined WordPress operations.

Control panels are highly attractive targets for attackers because they serve as the administrative backbone for thousands of websites, databases, and server configurations.

The widespread adoption of these tools means a single flaw can expose countless domains to immediate compromise.

Once an attacker bypasses the login screen, they effectively hold the keys to the kingdom.

They can modify website files, steal sensitive database information, reroute web traffic, or establish persistent backdoors for future access.

While CISA notes that it is currently unknown if this specific vulnerability is tied to ongoing ransomware campaigns, the risk remains severe.

Compromised hosting environments are frequently weaponized to host phishing pages, run cryptomining scripts, or launch coordinated attacks against other networks.

Required Mitigations and Deadlines

To counter this active threat, CISA mandates immediate action from federal agencies, and private organizations are strongly encouraged to adopt the same protective measures.

Security teams and system administrators should prioritize the following steps:

• Apply the latest security patches provided by the vendor immediately to secure the login flow.
• Follow the security guidance outlined in CISA’s Binding Operational Directive (BOD) 22-01 specifically regarding cloud services.
• Discontinue the use of the vulnerable product entirely if updates or practical mitigations are unavailable for your specific environment.

CISA originally added this vulnerability to the KEV catalog on April 30, 2026, and set a strict remediation deadline of May 3, 2026.

Because this deadline has already passed, organizations that have not yet patched their systems must treat this as a critical incident response priority.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.