Breaking Technology · · 8 min read

CISA confirms months-long exploitation of critical cPanel flaw affecting 70 million domains

CVE-2026-41940 gave attackers root-level server access since February—two months before patches existed—exposing the fragility of delegated hosting infrastructure.

B
based.technology
Technology

A critical authentication bypass in cPanel and WebHost Manager has been actively exploited since at least February 23, 2026, granting attackers unauthenticated root-level access to servers managing an estimated 70 million domains—months before patches became available on April 28.

The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-41940 to its Known Exploited Vulnerabilities Catalog on April 30, confirming in-the-wild attacks and mandating federal agencies remediate by May 21. The Vulnerability carries a CVSS score of 9.8 and affects all currently supported versions of cPanel software, with approximately 1.5 million exposed instances identified through internet scanning, per Rapid7.

cPanel controls roughly 94% of the web hosting control panel market according to Hadrian.io, making this one of the most concentrated supply-chain vulnerabilities disclosed this year. The flaw exploits a CRLF injection weakness in session-file handling, allowing attackers to inject administrative session attributes—including user=root and tfa_verified=1—without authentication. This grants full control over server configurations, databases, and every website hosted on compromised infrastructure.

Exposure Metrics
Exposed cPanel instances
1.5M
Domains under management
~70M
CVSS severity score
9.8
Market concentration
94%

Two-month exploitation window before disclosure

The vulnerability was exploited in the wild for at least two months before cPanel issued emergency patches on April 28. Evidence of exploitation activity dates to February 23, according to Help Net Security, meaning attackers had root-level access to vulnerable hosting infrastructure throughout March and most of April while defenders remained unaware.

Daniel Pearson, CEO of hosting provider KnownHost, reviewed exploitation attempts on his network and found most consisted of reconnaissance activity—attackers testing whether the vulnerability worked before moving to secondary objectives. “At least on our network and the cases I’ve reviewed, any exploit has amounted to ‘let me see if this works’ and then no other changes/attempts past that,” Pearson stated. However, the prolonged pre-disclosure window means forensic investigations are ongoing across the industry to determine the full scope of compromise.

watchTowr Labs published technical details and proof-of-concept exploit code on April 29—just one day after patches became available—compressing the defensive window and accelerating the need for immediate remediation. The security research firm characterised the flaw as “the keys to the kingdom, and then the keys to every individual apartment inside the kingdom,” referencing both server-level and account-level access capabilities.

23 Feb 2026
First exploitation evidence
Earliest confirmed exploitation activity in the wild

28 Apr 2026
Emergency patches released
cPanel issues fixes for all supported versions

29 Apr 2026
Proof-of-concept published
watchTowr Labs releases technical details and exploit code

30 Apr 2026
CISA KEV listing
Federal mandate triggers 21-day remediation deadline

Structural dependency creates remediation gap

Unlike vulnerabilities in end-user applications or network appliances, CVE-2026-41940 targets infrastructure most organisations cannot patch themselves. Shared hosting customers—including small businesses, agencies, and enterprises using reseller hosting—depend entirely on their provider’s response speed and technical competence. This creates a supply-chain trust gap with limited visibility: tenants have no direct method to verify their hosting provider has applied patches or implemented compensating controls.

Major hosting providers including Namecheap, KnownHost, HostPapa, and InMotion responded within hours of the April 28 advisory by blocking external access to cPanel ports (2082, 2083, 2086, 2087) and deploying patches, according to Hadrian.io. However, the fragmented nature of the hosting industry—with thousands of small providers globally—means a long tail of unpatched systems will persist for weeks or months.

“Successful exploitation of CVE-2026-41940 grants an attacker control over the cPanel host system, its configurations and databases, and websites it manages.”

— Ryan Emmons, Security Researcher, Rapid7

The vulnerability’s technical mechanism—CRLF injection enabling session attribute manipulation—is straightforward to exploit but difficult to detect retrospectively. Attackers who gained access in February or March may have established persistent backdoors, created administrative accounts, or exfiltrated credentials before patches closed the entry point. Standard log analysis may miss these intrusions if attackers used the legitimate session-creation mechanism rather than traditional exploitation signatures.

Market concentration amplifies blast radius

cPanel’s dominance in shared hosting infrastructure means a single vulnerability affects a disproportionate share of the web. The Register notes that the platform manages roughly 70 million domains, giving CVE-2026-41940 one of the largest surface areas of any actively exploited vulnerability this year. The centralised control-plane architecture—where WebHost Manager provides server-level administration and cPanel handles account-level operations—means successful exploitation yields both horizontal and vertical privilege escalation simultaneously.

Federal agencies face a hard deadline under Binding Operational Directive 22-01, which requires remediation of known-exploited vulnerabilities within 21 days of CISA catalog addition. The May 21 deadline applies to civilian executive branch agencies, but private sector organisations lack equivalent enforcement mechanisms beyond cyber insurance requirements and regulatory frameworks like PCI-DSS or HIPAA.

Immediate Actions
  • Verify hosting provider patched cPanel to latest version (122.0.18 or 120.0.22)
  • Review administrative account creation logs from February 23 onwards for anomalous activity
  • Implement IP allowlisting for cPanel/WHM access if not already enforced
  • Audit SSH keys and API tokens for unauthorised additions during exploitation window

What to watch

The next two weeks will reveal whether the hosting industry can achieve widespread remediation before the proof-of-concept code drives mass exploitation. Organisations should request patch status confirmation from hosting providers in writing and establish communication channels for future security advisories. The gap between February exploitation and April disclosure suggests detection capabilities failed industry-wide—a more troubling indicator than the vulnerability itself.

Longer term, the incident highlights the fragility of delegated infrastructure security. As cloud and managed hosting consolidate around a handful of platforms, single vulnerabilities gain outsized impact. The cPanel case demonstrates that market-dominant infrastructure software requires threat-monitoring investments proportional to its blast radius—a calculus the industry has not yet internalised. For now, the clock is running: organisations have until May 21 to verify their hosting providers closed a door that was open for two months before anyone noticed.

Sources
CISA
Rapid7
watchTowr Labs
Help Net Security
The Register
Hadrian.io
CISA cPanel Cybersecurity shared hosting Supply Chain Vulnerability
The Wire Daily

Get the day’s most important stories in technology, geopolitics, and macroeconomics — delivered every morning.

Subscribe Free →