Source: Security.NL
A serious security vulnerability in cPanel and WHM software is currently being actively exploited, and the scale of the problem is significant. If your website runs on a hosting account managed through cPanel, this is worth paying attention to.
According to The Shadowserver Foundation, more than 44,000 cPanel and WHM installations have very likely been compromised via a critical vulnerability identified as CVE-2026-41940. The Shadowserver Foundation is a non-profit organisation that monitors vulnerable systems on the internet. Security.NL reported on this on 1 May 2026.
The vulnerability is described as an authentication bypass flaw. According to the Australian Cyber Security Centre (ACSC), this means attackers who are not logged in can still gain remote access to the control panel and execute code on the server. In plain terms: someone outside your hosting environment could potentially take control of it without needing a password.
Both the ACSC and the US Cybersecurity and Infrastructure Security Agency (CISA) have confirmed that active exploitation is taking place.
Scan gratuit couvrant le RGPD, le droit d'auteur, l'accessibilité, la sécurité et plus encore.
Scanner votre site gratuitementThe French DPA (CNIL) imposed a fine of 3.5 million euros on an unnamed French company on 30 December 2025, partly for using SHA-256 for password hashing instead of a more secure algorithm like…
According to The Shadowserver Foundation, at least 650,000 cPanel installations are accessible from the internet. Of those, nearly 13,000 are located in the Netherlands. The foundation identified the 44,000 figure by observing IP addresses of cPanel installations scanning their monitoring systems, though it is important to note this number represents installations that are "very likely" compromised, not confirmed cases.
Updates to address CVE-2026-41940 have reportedly been available since 28 April 2026. According to Security.NL, some parties report that exploitation may have been occurring since 23 February 2026, though the source of this claim is not specified.
If you manage your own server or hosting environment using cPanel or WHM, contact your hosting provider or system administrator immediately and ask whether the update for CVE-2026-41940 has been applied. If you use shared hosting, your provider is likely responsible for applying server-level updates, but it is still worth asking for confirmation.
For a broader overview of security steps relevant to small business websites, see our security checklist for small businesses. If your site also runs WordPress, it is worth reviewing our guide on vulnerable WordPress plugins as well.
If your website is hosted on a server running cPanel or WHM, your hosting environment could be at risk if the available update has not been applied. A compromised hosting account can affect your website, your customer data and your email. Contact your hosting provider to confirm that your server software is up to date.