A threat actor moved fast. Within hours of public disclosure, they weaponized CVE-2026-41940, a critical authentication bypass in cPanel and WebHost Manager. Governments in Southeast Asia felt the hit first—Philippine military domains, Laotian officials. Managed service providers followed in Canada, South Africa, the U.S. Full root access. No credentials needed.
Researchers at Ctrl-Alt-Intel spotted the activity on May 2. The actor, tracing back to IP 95.111.250.175, grabbed public proof-of-concepts from GitHub. One script from WatchTowr Labs chains the bypass straight to remote code execution. Another checks session validity. From there? AdaptixC2 for command-and-control. OpenVPN and Ligolo for tunneling into internal networks. Systemd timers for persistence. And exfiltration: a trove of Chinese railway documents.
But this wasn’t isolated. Shadowserver Foundation logged 44,000 unique IPs scanning on April 30 alone. That number plunged to 3,540 by May 3 as patches rolled out—or servers fell silent. “The script uses hard-coded credentials and defeats the portal’s CAPTCHA by reading the expected CAPTCHA value out of the server-issued session cookie,” Ctrl-Alt-Intel reported. SQL injection followed on a separate Indonesian defense site. Ransomware named “Sorry” appeared post-breach. Mirai botnet variants scanned onward.
cPanel powers millions. Shodan counts 1.5 million exposed instances. CVSS score: 9.8. The flaw exploits a CRLF injection in session writing, paired with an encryption skip via malformed cookies. cPanel’s session caching then elevates the injected data, dodging all checks—passwords, two-factor. Pre-patch exploitation stretched back to February, per Picus Security. CISA slotted it into its Known Exploited Vulnerabilities catalog. Federal agencies got 21 days to patch.
And exploitation surged. Cybersecurity Dive noted brute-force waves and ransomware climbs as of May 4. Multiple actors piled on, Help Net Security confirmed that same day. Public PoCs accelerated the mess. Hosts like Namecheap and HostGator pushed mitigations. Some providers shut down services temporarily.
Picus breaks it down technically. Attackers trigger CRLF during login attempts, smuggling malicious headers into the session file. A crafted cookie skips encryption. Boom—privileged session. Affected versions span cPanel & WHM up to 11.86.0.40, WP Squared too. Patches landed April 28: 11.86.0.41 fixes it. cPanel’s advisory urges immediate updates, credential rotation, session directory triage. They shipped a detection script and indicators of compromise.
NetSPI adds context. Root-level admin access means total control: websites, databases, customer data. All gone. Their analysis stresses blocking ports 2083 and 2087 as interim defense. Restart services post-patch. Review access logs for anomalies like rapid logins from odd IPs.
So what now? Hosting firms scramble. Reddit threads buzz with sysadmins ditching cPanel for alternatives—free panels, custom stacks. One user reported a fresh dedicated server hacked overnight. Another: nuclear botnets backing up entire partitions before encrypting. “Your IT admin is rightful to be furious,” a r/cpanel poster quipped about the “Sorry” ransomware fallout.
Censys uncovered the weaponization evidence. Their blog maps the attack chain. Aviatrix Threat Research Center watched pivots through clouds, pushing runtime segmentation as containment. On X, alerts flew: “Patch NOW,” from CyHawk Africa. DarkRelay Labs linked a fresh PoC repo.
GovInfoSecurity highlighted the shared-hosting peril. Millions of sites ride these rails. A single breach ripples. CISA’s directive underscores federal exposure. Yet patches exist. Detection tools too. The window? Narrowing, but not closed. Threat actors adapt. PoCs spread. Brute-force lingers.
Operators can’t wait. Update. Monitor. Assume breach if unpatched. cPanel’s ubiquity made this a prime target. Speed from disclosure to exploit—24 hours—shows the new normal. Root access handed over on a platter. Servers worldwide still blink vulnerable on scanners. Fix it. Today.
WebProNews is an iEntry Publication