Federal agencies must patch cPanel bug by Sunday, CISA says

Federal agencies have until May 3 to resolve a security issue impacting a critical system for server and website management.

The Cybersecurity and Infrastructure Security Agency (CISA) ordered all federal agencies to patch CVE-2026-41940 — a high-severity vulnerability affecting cPanel & WHM. 

WebPros International owns cPanel and WHM, and the Linux-based tools are part of a web hosting control panel suite of software deployed to manage websites and servers. Millions of domains are run through the cPanel and WHM control panel solutions.

Incident responders at Rapid7 said successful exploitation of CVE-2026-41940 “grants an attacker control over the cPanel host system, its configurations and databases, and websites it manages.” The bug carries a CVSS score of 9.8 out of 10. 

Experts warned that hackers could use the bug to completely compromise a server, steal data or manipulate hosted data. There are also larger service disruptions that could be enabled by the vulnerability. 

Multiple cybersecurity firms said there are thousands cPanel instances exposed to the internet that may be vulnerable.

CISA confirmed Thursday that the bug is being exploited. In addition to fixes for the bug, cPanel released a tool that allows companies to see if they have been compromised. 

The bug was first spotlighted earlier this week by cybersecurity experts at watchTowr, which also released a tool that allows defenders to identify vulnerable hosts in their estates. Other companies shared evidence that showed the bug has been exploited since February.  

U.S. domain name register Namecheap released an advisory this week warning customers that actions it is taking to address the vulnerability may temporarily restrict users from access to their cPanel and WHM interfaces.

Benjamin Harris, CEO of watchTowr, said that within hours of the initial cPanel advisory dropping, nearly every major hosting provider on the planet had firewalled their own customers off their own product. 

“Hosting.com, Namecheap, KnownHost, HostPapa, InMotion and the rest all pulled the emergency brake because the alternative was watching their entire customer base get owned in real-time,” Harris said. “Once again, we’re running around with half the Internet seemingly ablaze, and given the increased usage of AI in vulnerability research, we anticipate this new normal to become increasingly familiar.”