ATTACKERS are actively exploiting a critical authentication bypass in cPanel and WebHost Manager, tracked as CVE‑2026‑41940, to break into government, military and managed‑service‑provider networks across the globe, with over forty thousand servers believed to have been compromised. The flaw lets an unauthenticated user gain full administrative access by manipulating the Authorization header, a technique first detailed by watchTowr researchers and now seen in the wild. SecurityAffairs reported that targets include organisations in the Philippines, Laos, Canada, South Africa and the United States.
CVE‑2026‑41940 affects cPanel and WHM releases newer than version 11.40 and carries a CVSS score of 9.8, reflecting its potential to confer complete control without any credentials. The exploit works by inserting special characters into the Authorization header, which causes the application to write arbitrary parameters into a session file; a subsequent reload of the session then authenticates the attacker with those injected credentials. This method bypasses the normal login flow entirely, giving the intruder immediate rights to manage domains, email accounts and server settings.
Intrusion attempts have been linked to the IP address 95.111.250.175, which has been observed targeting government and military domains in Southeast Asia while also scanning hosting providers in North America, Europe and Africa. Namecheap and HostGator have temporarily limited cPanel access for their customers as a precaution, and several managed‑service providers have reported unusual authentication attempts in their logs following the disclosure.