CISA Warns of Critical cPanel & WHM RCE Vulnerability CVE-2021-35941 Exploited in Attacks
Key Takeaways A critical authentication bypass flaw, CVE-2026-41940, in WebPros cPanel & WHM and WP2 is under active exploitation. The U.S. CISA has added this vulnerability to its Known...
Key Takeaways
- A critical authentication bypass flaw, CVE-2026-41940, in WebPros cPanel & WHM and WP2 is under active exploitation.
- The U.S. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate remediation for federal agencies.
- The flaw allows unauthenticated attackers to gain administrative access to affected web hosting control panels without credentials.
- Patches are available, and organizations must apply them urgently to mitigate the risk of full server compromise.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a severe security vulnerability actively being exploited in the wild. This critical flaw impacts widely used web hosting management platforms, posing a significant risk to numerous online services.
Table Of Content
CISA recently incorporated this vulnerability into its Known Exploited Vulnerabilities (KEV) catalog, a definitive list of security issues that threat actors are actively leveraging in real-world attacks. The inclusion underscores the immediate danger this flaw presents.
Identified as CVE-2026-41940, the vulnerability affects WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared), two popular solutions for managing web hosting environments.
Understanding the Authentication Bypass Flaw
CVE-2026-41940 is categorized as a “Missing Authentication for Critical Function” vulnerability, corresponding to the CWE-306 weakness identifier. This classification highlights a fundamental security breakdown in the authentication process of the affected products.
The core of the vulnerability lies within the login mechanism itself. The software fails to adequately verify user identities during authentication, enabling unauthenticated remote attackers to completely bypass security checks. This means that malicious actors can gain unauthorized administrative access to the hosting control panel without needing valid usernames or passwords.
WebPros cPanel & WHM is an extensive suite designed to streamline website and server administration, while WP2 facilitates optimized WordPress operations. These control panels are prime targets for attackers due to their central role in managing thousands of websites, databases, and server configurations. The widespread adoption of these tools means that a single, exploitable flaw can expose countless domains to immediate compromise.
Once an attacker circumvents the login screen, they effectively gain complete control over the hosting environment. This level of access allows them to modify website files, exfiltrate sensitive database information, redirect web traffic, or install persistent backdoors for future access. While CISA has not yet linked this specific vulnerability to ongoing ransomware campaigns, the potential for severe damage remains high.
Compromised hosting environments are frequently weaponized for various illicit activities, including hosting phishing pages, running cryptomining scripts, or launching coordinated attacks against other networks.
Required Mitigations and Deadlines
To combat this active threat, CISA has mandated immediate action for federal agencies and strongly advises private organizations to adopt similar protective measures. Security teams and system administrators must prioritize the following steps:
- Apply the latest security patches released by the vendor without delay to secure the compromised login flow.
- Adhere to the security guidelines outlined in CISA’s Binding Operational Directive (BOD) 22-01, particularly concerning cloud services.
- If updates or practical mitigations are unavailable for a specific environment, discontinue the use of the vulnerable product entirely.
CISA initially added this vulnerability to the KEV catalog on April 30, 2026, setting a strict remediation deadline of May 3, 2026. As this deadline has now passed, organizations that have not yet patched their systems must treat this as a critical incident response priority, given the active exploitation.
What You Should Do
- Immediately verify if your organization uses WebPros cPanel & WHM or WP2.
- Prioritize applying all available security patches and updates from WebPros.
- If patching is not immediately feasible, explore alternative mitigation strategies or consider temporarily decommissioning affected systems.
- Conduct a thorough audit of your hosting environments for any signs of compromise if patches were not applied by CISA’s deadline.
- Review and strengthen authentication policies across all critical systems.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.