Authentication Bypass in Web Hosting Control Panels
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability, CVE-2026-41940, to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation. This flaw affects WebPros cPanel and WHM as well as the WP2 WordPress management tool. The issue is classified as a missing authentication for critical function (CWE-306), meaning unauthenticated remote attackers can bypass the login screen entirely without needing valid credentials.
Impact on Hosting Environments
Because cPanel and WHM serve as administrative backends for thousands of websites and servers, a successful exploit gives attackers full control over hosted domains. They may modify files, steal database contents, redirect traffic, or install persistent backdoors. While CISA has not confirmed a link to ransomware, compromised hosting panels are frequently used for phishing campaigns, cryptomining, or launching further attacks. Federal agencies are required to patch immediately, and private organizations are strongly urged to follow suit. The remediation deadline of May 3, 2026 has already passed, making this an urgent response priority.
Source: Cybersecuritynews
