A critical vulnerability in cPanel is facing widespread exploitation across the globe, researchers warn. 

The vulnerability, tracked as CVE-2026-41940, is an authentication bypass flaw in the login process that could allow a remote attacker to gain access to the control panel.

The potential risk is significant, as cPanel and WHM act as web hosting control panel software for more than 70 million domains, according to researchers. WHM acts as the administrative interface and cPanel serves as the user-facing panel for individual accounts, says watchTowr, which released a proof-of-concept of the vulnerability.

cPanel urged users to apply immediate security upgrades and warned the vulnerability affects all versions after 11.40.

KnownHost said it has begun blocking cPanel and WHM login ports across the KnownHost network as a precautionary measure. 

Shadowserver Foundation on Friday reported more than 44,000 IPs were likely compromised. Researchers said the data was based on a spike in scanning, exploits and brute force attacks against its honeypot sensors. 

Shadowserver reported more than 572,000 exposed instances across the globe as of Sunday, with more than 391,000 in North America. 

The Cybersecurity and Infrastructure Security Agency on Thursday added the flaw to its Known Exploited Vulnerabilities catalog. 

Researchers at Defused see continued increases in threat activity, identifying more than 1,000 exploitation attempts since the vulnerability was disclosed. 

“A lot of it revolves around building persistence into the systems by modifying or adding the attackers own credentials, and also some remote code execution activity,” Simo Kohonen, founder and CEO of Defused, told Cybersecurity Dive.