🔒Security The cPanel exploit (CVE-2026-41940) - 70M sites may be in danger.

[Dopious]

Heads up if you’re running cPanel/WHM—there is a massive zero-day currently being exploited in the wild.
A critical authentication bypass was discovered that basically lets an attacker walk straight into your server as root without needing a password. Given that cPanel powers around 70 million sites, the scale of this is huge.
Here’s the timeline:

• Active Exploitation: Traced back as far as February.
• The Patch: Released earlier this week.
• The Aftermath: Shadowserver reported that within just 24 hours of the patch going live, over 44,000 unique IPs were already scanning and hitting servers to exploit this.

If you haven't updated your control panel in the last 48 hours, you need to do it right now. This isn't one to sit on.

If you run Cpanel on a private VPS, make sure to update it now.

 

[SilverClouds]

Yepp, I noticed my current and previous host don't use cpanel, as security measure probably

 

[RiskyStuff]

Hacking discussion isn't allowed here, but you posted hacker's solution - they use automation to find vulnerable units... Lol!

Everyone is a hacker, not everyone realizes it - Mikel337.

 

[Bob]

Hacking discussion isn't allowed here, but you posted hacker's solution - they use automation to find vulnerable units... Lol!

Everyone is a hacker, not everyone realizes it - Mikel337.

There is a difference between discussing hacking and letting people know about a security flaw due to hacking.

@Dopious thread is allowed.

 

[Octavia]

Hacking discussion isn't allowed here, but you posted hacker's solution - they use automation to find vulnerable units... Lol!

Everyone is a hacker, not everyone realizes it - Mikel337.

So what exactly is not allowed?

Isn't OP just bringing attention to possible exploits. We are all marketers that use cpanel so I would applaud him from sharing it. So we can secure or backup our data.

 

[Dopious]

Isn't OP just bringing attention to possible exploits. We are all marketers that use cpanel so I would applaud him from sharing it. So we can secure or backup our data.

I think he meant his post as a joke, thats why I laughed at it.

 

[RiskyStuff]

So what exactly is not allowed?

Isn't OP just bringing attention to possible exploits. We are all marketers that use cpanel so I would applaud him from sharing it. So we can secure or backup our data.

I think he meant his post as a joke, thats why I laughed at it.

My ratio of jokes to seriousness is 10:1 these days. I can't run any operation when it's boring and stiff.

Is dangerous practice, gets me warnings and more, but it's like watching real life show!

Fun fact, they took away my sapphire membership and refunded me money. I didn't ask why... but I have couple guesses.

 

[t2van]

To be fair cpanel sent out two emails forcing it's licence members or rather urging them to upgrade earlier this week.

Nice share I think

 

[Octavia]

Fun fact, they took away my sapphire membership and refunded me money. I didn't ask why... but I have couple guesses.

No need to include your drama in every thread you reply in. ( not saying that you are, but that part of your comment is derailing )
Use https://officeoutlaw.com/misc/contact instead

 

[Bob]

My ratio of jokes to seriousness is 10:1 these days. I can't run any operation when it's boring and stiff.

this is not the Saloon section

 

[Preying Mantis]

So what exactly is not allowed?

Isn't OP just bringing attention to possible exploits. We are all marketers that use cpanel so I would applaud him from sharing it. So we can secure or backup our data.

Better to know about the exploits and share the info publicly than to bury our heads in the sand about it.

 

[vicky71083]

• - Unauthorized access without valid credentials
• - Full administrative/root-level control of the server
• - Access to WHM, cPanel, and Webmail accounts
• - Risk of website defacement, data theft, configuration changes, or malware deployment

As technical details are becoming public, active scanning and exploitation attempts may increase.

Immediate Action Required

If you manage your own server, please perform the following steps immediately:

1. Change All Passwords

We recommend changing:

• root password
• - All cPanel account passwords
• - All Webmail / Email account passwords
• - WHM reseller/admin passwords (if applicable)
• 
  
• 2. Force a cPanel Update Now

Log in to your server via SSH as root and run:

/scripts/upcp –force

Run cPanel’s Official Detection Script

Please follow the official cPanel advisory and run the recommended detection script:

https://support.cpanel.net/hc/en-us...940-cPanel-WHM-WP2-Security-Update-04-28-2026

If the detection script returns results, manually delete the flagged session files located in:

/var/cpanel/sessions/raw/



If root access may have been compromised, rotate immediately:

* SSH keys

* API tokens

* Remote access credentials

* Stored automation credentials



5. Post-Update Security Check

• - 2086 (WHM non-SSL)
  • - 2082 (cPanel non-SSL)
    • - 2095 (Webmail non-SSL)
    • - 2096 (Webmail SSL)

If you are unable to update immediately, restrict access to these ports via firewall rules to only trusted IP addresses.

If you encounter any issues updating your server or need help reviewing logs or securing access, please contact our support team immediately.

==================
This is the solution given to me by my Hosting provider , sharing it here too if it can help others.