Federal Agencies Ordered to Patch Critical cPanel Vulnerability by Friday
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has directed all federal agencies to patch a critical security vulnerability (CVE-2026-41940) affecting key server and website management systems by May 3rd. The vulnerability exists in cPanel & WHM products by WebPros International, a Linux-based website hosting control panel widely used to manage websites and servers, with millions of domains relying on the solution.
The event response team at security firm Rapid7 stated that successful exploitation of the vulnerability could give attackers full control of the host system where cPanel is located, as well as its configuration, databases, and hosted websites. The flaw has a CVSS risk score of 9.8 out of 10. Experts warn that hackers could use this to completely compromise servers, steal or tamper with hosted data, and potentially trigger more serious cascading effects, such as large-scale service disruptions.
Multiple cybersecurity companies have pointed out that thousands of cPanel instances exposed to the internet may be affected by the vulnerability. CISA confirmed on Thursday that the vulnerability is being actively exploited in the wild. In addition to releasing a fix patch, cPanel has also launched a tool to help businesses detect if their environment has been compromised.
The vulnerability was first made public this week by security firm watchTowr, who also released a tool to help defenders identify vulnerable hosts within their assets. Other organizations subsequently disclosed evidence showing that related attack activity had begun as early as February of this year.
U.S. domain registration service Namecheap issued a notice this week informing customers that the measures it is taking to address the vulnerability may temporarily restrict user access to the cPanel and WHM management interface. watchTowr CEO Benjamin Harris said that within hours of cPanel’s initial security announcement, almost all major hosting providers implemented firewall measures to block their customers from their own products.
Harris described the situation as, “Hosting.com, Namecheap, KnownHost, HostPapa, InMotion – everyone slammed on the brakes because the alternative was watching their entire customer base get taken over in a live attack.” He added that it feels like “half the internet is on fire” and that this “new normal” is likely to become increasingly frequent as the use of AI in vulnerability discovery becomes more widespread.