A critical authentication bypass flaw in cPanel software products has been heavily exploited across multiple threat actors shortly after public disclosure, risking millions of websites via tens of thousands of compromised instances. On 28 April the vendor issued a security update addressing CVE-2026-41940, which was on 29 April assigned a critical CVSS score of 9.8.
On the same day, WatchTowr Labs published a PoC exploit and a technical analysis, described by researchers as a “disaster” flaw that allows attackers to gain administrative access and take over servers and hosted websites, according to WatchTowr Labs. Censys scans showed the flaw attracting attacks from multiple threat actors within 24 hours of disclosure, with approximately 15,000 potentially compromised instances observed in the first day.
KnownHost flagged CVE-2026-41940 as a zero‑day, with around 30 servers showing exploitation attempts and, per Reddit follow‑ups, exploitation had been ongoing for at least 30 days, with signs back to 23 February. The research also notes that the attack surface is unusually large, given the vulnerability affects all supported versions and sits on infrastructure powering around 70 million domains.