It is unclear when exploitation started, but KnownHost, a hosting provider that uses cPanel, said the day the vulnerability was disclosed that “successful exploits have been seen in the wild” before a fix became available.
However, KnownHost CEO Daniel Pearson stated that the company has “seen execution attempts as early as 2/23/2026.”
That’s nice! So … we’ve been possibly under attack for months, because now its May, and this potentially started in February? 30-60 days is fine, but with a company that really screwed up by breaking a bunch of shit and causing lots of problems later doesn’t seem to have learned their lesson.
Remember when I blogged about how important mailing lists are and how Cpanel broke shit so bad that our lists were basicly useless?
They’re now claiming that they didn’t want to fix this, but pressure made them, and I’m talking about this current situation now not the other one.
The article says:
cPanel released a fix on April 28, following pressure from hosting providers. To protect customers, Namecheap temporarily blocked connections to cPanel and WHM ports 2083 and 2087 until patches became available.
So Cpanel, I’ll get off my soap box a minute and ask you a very serious question. Were you planning to fix this if it weren’t being pressured for you to do so? I’m thinking that the answer, in my honest opinion, is “no.” I’m not going to say whether I’m right or not, but I think not.
According to Rapid7, Shodan internet scans show that there are approximately 1.5 million cPanel instances exposed online. However, there is no data on how many are vulnerable to CVE-2026-41940.
The fix is to block connections to ports 2083 and others discussed. The problem is, that our browsers go to these ports by default when we go to example.com/cpanel and example.com/whm respectively. If that’s the case, then the question becomes “How are we going to log in?”
cPanel has updated its security advisory, noting that the vulnerability also impacts WP Squared, a comprehensive management panel for WordPress hosting built on cPanel. Furthermore, unlike initially stated, only cPanel versions after 11.40 are affected by the security issue.
According to the article, this affects many versions of 11, but I show my server is running 134.0.23. So … does that mean we’re OK? We’ve been in the 100x series since I wrote that blog post about the mailing list trouble … way back then.
The vendor strongly recommends that all customers restart the ‘cpsrvd’ service after installing the latest releases of the software:
Thanks for telling us exactly what to restart. People will appreciate that.
Remember when I said that you should disable ports earlier? Eat this paragraph and crunch on it.
If patching isn’t immediately possible, customers should at least block external access to ports 2083, 2087, 2095, and 2096, or stop the cpsrvd and cpdavd cPanel internal core services.
Will that actually block legitimate log ins from someone who needs to manage their account infrastructure or even their domain?
Finally,
The vendor also provided a detection script to check for compromise. If indicators are found, it’s recommended to purge sessions, reset all credentials, audit logs, and investigate persistence mechanisms.
watchTowr has also published a Detection Artifact Generator script that can be used to verify if cPanel and WHM instances are vulnerable to CVE-2026-41940.
To read the entire article, read Critical cPanel and WHM bug exploited as a zero-day, PoC now available for all of the complete details.
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.