OVER 40,000 servers have likely been compromised as attackers intensified exploitation of a recently patched cPanel zero-day, CVE-2026-41940. According to The Shadowserver Foundation, threat actors are exploiting this critical authentication-bypass vulnerability in cPanel & WHM, disclosed on 28 April, to gain unauthenticated administrative access.
The issue can be exploited via special characters in authorization headers to write parameters to a session file and then trigger a reload to authenticate with injected credentials. CVE-2026-41940 was likely exploited as a zero-day since late February, with activity spiking after the public disclosure and after WatchTowr published technical details.
Last week Rapid7 warned that roughly 1.5 million cPanel instances were accessible from the internet, and as of 3 May, tens of thousands of potentially compromised systems were being observed by Shadowserver. Most affected systems are in the US, with France and the Netherlands in the top three, and cPanel urges updating to patch releases across affected versions. The US agency context includes CISA adding CVE-2026-41940 to its KEV catalog, urging agencies to patch promptly.