Security experts have raised concerns about a newly identified vulnerability in cPanel and WebHost Manager (WHM), software integral to web server management and used by millions globally. This flaw potentially enables malicious actors to seize complete control of servers running the compromised versions of this software.
While several commercial web hosting services have already rolled out patches to protect their clients, the developers of cPanel have emphasized the importance for all users to ensure their systems are updated, given that the vulnerability can impact any supported version of the software.
cPanel and WHM are critical tools for managing web servers, handling everything from website hosting to email management and essential configurations for internet domains. Due to their extensive access privileges, if exploited, hackers could gain unfettered access to sensitive data managed by these systems.
The vulnerability, marked as CVE-2026-41940, allows hackers to bypass the login interface, granting them unrestricted access to the software’s administrative controls. Given the prevalence of cPanel and WHM across web hosting services, numerous websites could be compromised if they remain unpatched.
Canada’s national cybersecurity authority has issued an alert regarding the issue, indicating the bug’s exploitation is “highly probable” and urging immediate attention from cPanel users and their hosting providers to avert unauthorized access.
In response to the vulnerability, Namecheap has temporarily restricted access to its customers’ cPanel panels as a precautionary measure while it implements necessary repairs. Similarly, Hostgator considers this vulnerability a “critical authentication-bypass exploit” and has confirmed it has applied the necessary patches to its systems.
Interestingly, some reports suggest that the vulnerability may have been exploited for months prior to its detection. Daniel Pearson, CEO of KnownHost, indicated that his company had observations of attempts to exploit this flaw dating back to late February. KnownHost implemented pre-emptive measures by briefly blocking access to customer systems before applying updates. He reported around 30 servers showed signs of suspicious access attempts, though no confirmed breaches have been detected. Additionally, cPanel has introduced a security update for WP Squared, another tool for managing WordPress sites, highlighting the broad implications of this vulnerability across different applications.
The urgency for action among cPanel customers is paramount as the frequency of attempted breaches grows, reinforcing the critical need for web hosts to prioritize security updates in light of this severe risk.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
