CVE-2026-41940 — CVSS 9.8 — actively exploited since at least 23 February 2026, weeks before cPanel even shipped a fix on 28 April.
If you run anything behind cPanel or WHM, stop reading marketing emails and read this.
What actually happened
cPanel disclosed a critical authentication bypass in all supported versions of cPanel & WHM, caused by a CRLF injection flaw in the login and session-loading flow. Translation: an unauthenticated attacker on the internet can skip the login screen entirely and walk straight into WHM with root-level administrative access to the host.
This is not “a customer site got defaced.” WHM controls the entire server — every hosted site, every database, every email account, every credential file, every cron job. One bypass, full root.
The fallout so far:
- The Shadowserver Foundation observed roughly 44,000 IP addresses mass-scanning and exploiting vulnerable hosts on 30 April alone.
- Censys found 8,859 hosts already exposing files with a
.sorryextension — the signature of a Go-based Linux ransomware strain dropped via this bug. - CISA added the CVE to its Known Exploited Vulnerabilities catalog and set a hard 3 May patch deadline for US federal agencies.
- Namecheap, KnownHost, HostPapa, InMotion, and hosting.com all firewalled customer access to ports 2083/2087 because the alternative was watching their entire customer base get encrypted in real time.
- An estimated 1.5 to 2 million cPanel instances are exposed to the internet. A meaningful share were compromised before the patch existed.
The uncomfortable part
Patching closes the door. It does not evict an attacker who walked through it three weeks ago and dropped SSH keys, cron jobs, sudoers backdoors, and API tokens behind your back.
Help Net Security and multiple incident responders have said the quiet part out loud: if you find indicators of compromise, rebuilding from clean backups is the only safe path. Cleaning a rooted cPanel host in place is a losing game. You will miss something.
This raises the real question: are your backups actually clean, recent, and restorable? For most shared-hosting and SMB environments, the honest answer is no.
Where CloudTechtiq + Acronis Cyber Protect fits
This is not a pitch for “buy backups, problem solved.” Backups that sit online, writable, on the same host as the cPanel server are useless against a ransomware operator with root — they will be encrypted along with everything else. That’s exactly what’s happening to victims right now.
What you need, specifically:
- Immutable, air-gapped backup storage. Acronis Cyber Protect supports immutable backup destinations and off-host cloud targets, so a rooted server cannot delete or encrypt its own recovery point.
- Anti-ransomware behavioural defence (Active Protection). Detects encryption activity in flight and rolls back affected files — useful on hosts that get hit before patching completes.
- Bare-metal and full-image restore. When a cPanel server is confirmed compromised, you do not “clean” it. You wipe it and restore the entire image to a fresh build. Acronis is built for this; file-only backups are not.
- Forensic snapshots for incident response. Pre-incident images let you investigate what the attacker did instead of guessing.
CloudTechtiq deploys this stack as a managed service — Acronis Cyber Protect Cloud with off-region immutable storage, scheduled image-level backups for cPanel/WHM hosts, ransomware monitoring, and tested restore drills. Tested. The number of organisations that own backup software and discover during an actual incident that their last successful restore was 18 months ago is not small.
What to do this week
- Confirm the patch landed. Run
/usr/local/cpanel/cpanel -Vand verify the build matches a fixed release. If you are on a managed host, get written confirmation. - Audit logs from 28 April backwards to at least 23 February for unexpected WHM logins, new accounts, new SSH keys, and new cron entries.
- If anything looks wrong — assume compromise. Do not try to clean it.
- Move backups off the host. Move them to immutable storage. Test a restore.
The servers already breached are not getting saved by a patch. They are getting saved by a backup that the attacker could not reach.
CloudTechtiq provides managed Acronis Cyber Protect deployments for cPanel/WHM, VPS, and dedicated server environments. Talk to the team if your current backup story is “we have backups somewhere.”
