Hackers Weaponize New cPanel Flaw In Global Cyberattack Wave

There’s a familiar rhythm to the spring security patch cycle: vendors push updates, everyone breathes a sigh of relief, and then the real work begins in the shadows. That cycle just accelerated dramatically. Internal documents circulating among hosting providers and security teams confirm that attackers have begun actively exploiting a critical authentication bypass vulnerability in cPanel, tracked as CVE-2026-41940. The flaw, which allows remote attackers to bypass authentication mechanisms in the widely used web hosting control panel, was disclosed just days ago. Now, according to a breaking alert from BleepingComputer (@BleepinComputer), exploit code is already being weaponized in the wild.

The vulnerability sits in cPanel’s login processing engine, specifically in how it handles session tokens during the authentication handshake. Engineers close to the project say the bug effectively lets an unauthenticated attacker impersonate any legitimate user, including the root administrator, without needing credentials. The rollout of the patch has been anything but smooth. While cPanel issued a hotfix on April 28 for version 114.0.23 and later, many hosting providers—particularly smaller shops that rely on automated update scripts—have reported delays in deployment. Security researchers monitoring dark web forums have already observed proof-of-concept code being traded, and at least one ransomware group has added the flaw to its exploit toolkit.

Why this matters for the 813 audience is straightforward: millions of websites run on cPanel-powered servers, from small e-commerce stores to enterprise-level hosting environments. A full compromise of the control panel means an attacker can deploy web shells, steal database credentials, and pivot to every site on that server. BleepingComputer’s reporting confirms that at least two targeted attacks have been documented in the last 24 hours, with victims in the United States and Europe. The exact scope of the exploitation is still unconfirmed, but threat intelligence firms are now flagging the flaw as a high-priority risk.

What happens next is a race against the clock. cPanel is expected to push an emergency security bulletin later today, but the window for remediation is shrinking fast. Security teams should immediately verify that their installations are running version 114.0.23 or newer, and audit authentication logs for any unusual session creation events. For the rest of us, this is yet another reminder that the gap between disclosure and exploitation is measured in hours, not weeks. The 2026 cPanel crisis is already here—it just hasn’t hit every server yet.

Source: https://x.com/BleepinComputer/status/2050696597499978190