Critical cPanel bug leaves 1.5 million servers vulnerable to total takeover

Cybersecurity experts are sounding the alarm over a critical authentication-bypass vulnerability in cPanel & WHM, the world’s most popular web hosting control panel, which has left an estimated 1.5 million servers exposed to complete administrative takeover.

The flaw, tracked as CVE-2026-41940 with a near-perfect critical severity score of 9.8/10, allows unauthenticated remote attackers to bypass login security and gain full "root" access to servers. This level of access grants hackers total control over website files, sensitive databases, and SSL certificates for every site hosted on an affected server.

Exploited as a zero-day for months

While cPanel released emergency patches on April 28, 2026, evidence suggests the vulnerability has been a "zero-day" weapon in the wild since at least February 23, 2026. The Cybersecurity and Infrastructure Security Agency (CISA) has officially added the bug to its Known Exploited Vulnerabilities catalog, confirming that threat actors are actively using it to compromise systems.

Security firm watchTowr Labs, which published a technical breakdown of the exploit, described the bug as a failure in how the cPanel service daemon (cpsrvd) handles session files. By injecting specific characters into an authorization header, attackers can trick the server into writing a "root" session file to the disk, essentially handing them the "keys to the kingdom" without requiring a password.

Impact on Global Hosting Infrastructure

The scale of the threat is immense. According to Rapid7, Shodan scans show over a million internet-facing cPanel instances. Major hosting providers including Namecheap, HostGator, and KnownHost took the extraordinary step of temporarily blocking access to cPanel ports (2083 and 2087) this week to protect customers while they scrambled to deploy patches.

The vulnerability affects all supported versions of cPanel & WHM released since late 2023, as well as the WP Squared WordPress management tool.

What Site Owners and Admins Must Do

If you manage a Linux server or use shared hosting, the following steps are critical:Verify Patch Version:

• Ensure your server is running one of the fixed versions: 11.136.0.5, 11.134.0.20, 11.132.0.29, 11.130.0.19, 11.126.0.54, or higher.

• Audit for Compromise: Admins should check access logs for suspicious activity around login endpoints and audit session files created since late February.

• Credential Rotation: If a server is found to have been vulnerable, security experts recommend rotating all administrative passwords and API tokens immediately.

• Enable Network Segmentation: Where possible, limit access to cPanel/WHM interfaces to known IP addresses or through a VPN to reduce the internet-facing attack surface.