A critical severity authentication bypass vulnerability in cPanel and WHM has been under active exploitation as a zero day since at least February 2026. Tracked as CVE-2026-22621 on https://cve.org, the flaw allows an unauthenticated attacker to bypass login protections and gain administrative access to cPanel and Web Host Manager interfaces. Security researchers at Greynoise first detected widespread scanning and exploitation attempts in early March, but evidence now shows that the first attacks began months earlier, targeting vulnerable web hosting servers worldwide.
Vulnerability Overview
The vulnerability resides in the authentication mechanism that handles session tokens. An attacker can craft a special request that tricks the cPanel application into granting full admin privileges without valid credentials. Once inside, adversaries can modify hosting configurations, install backdoors, steal sensitive data from hosted accounts, or use the compromised server as a launchpad for further attacks. Web host providers running unpatched versions of cPanel and WHM are especially at risk, as a single breach can expose thousands of customer websites.
Exploitation Timeline
cPanel released a security update on April 15, 2026, that patches the vulnerability. However, many servers remain vulnerable because administrators either delayed the patch or are unaware of the rapid exploitation timeline. SecurityWeek has confirmed that proof of concept exploit code is now publicly available, which almost certainly will lead to an increase in automated attacks. Organizations using cPanel or WHM should verify their software version immediately and apply the latest patch if they have not done so.
Mitigation Steps
This incident highlights the accelerating timeline between vulnerability disclosure and wide scale exploitation. Security teams should prioritize patch management for all internet facing management interfaces. Even a few days of delay can be enough for attackers to establish persistent access that is difficult to detect and remove.
Source: Critical cPanel and WHM Flaw Actively Exploited as Zero Day for Three Months
