Cybersecurity experts are raising urgent concerns about a newly identified flaw in the popular server management platforms cPanel and WebHost Manager (WHM).
This vulnerability could allow attackers to seize complete control of affected servers—posing a serious risk to the tens of millions of websites that rely on these tools worldwide.
While many hosting providers have already deployed patches, the developers behind cPanel are urging all users to verify that their systems are fully updated, as the issue impacts every supported version.
cPanel and WHM are widely used to manage critical server functions, including website hosting, email services, databases, and system configurations. Because these platforms operate with deep system-level access, any successful breach could give attackers near-total control over sensitive data and infrastructure.
The flaw, tracked as CVE-2026-41940, enables attackers to bypass authentication remotely and gain direct entry into administrative panels—effectively unlocking full control without valid credentials.
Given how widespread cPanel and WHM are in the hosting ecosystem, unpatched systems could expose a vast number of websites to compromise. Authorities like the Canadian Centre for Cyber Security have warned that the vulnerability is particularly dangerous in shared hosting environments, where multiple sites run on the same server.
The agency emphasized that exploitation is “highly probable,” urging immediate action from both hosting providers and individual users.
Major hosting companies have responded quickly. Namecheap temporarily restricted customer access to cPanel interfaces to limit risk while rolling out fixes, while HostGator classified the issue as a critical authentication bypass and applied patches across its systems.
Meanwhile, KnownHost reported evidence suggesting that attackers may have been probing this vulnerability for months prior to its public disclosure. According to CEO Daniel Pearson, suspicious activity dating back to late February was detected, though no confirmed breaches were identified—only attempted intrusions affecting a limited number of servers.
In response to the broader security concern, cPanel has also issued updates for related tools like WP Squared.
The situation underscores the importance of timely patching and proactive security measures, especially for platforms that sit at the core of web infrastructure.
Source: techcrunch Edited by Bernie
