ASD's ACSC confirmed this week that CVE-2026-41940, a critical authentication bypass in cPanel and WHM, is being actively exploited against Australian organisations. The advisory carries no sector carve-outs — ACSC's position is that no particular industry is being targeted, which means the attacker population is opportunistic and scanning broadly. Patch management conversations about this one shouldn't be limited to your IT team.
What cPanel is, and why it's everywhere
cPanel is the web hosting control panel that most shared hosting providers have shipped for the better part of two decades. If your business has ever stood up a website, a client-facing portal, a booking system, a staff intranet, or any web application through a hosting company rather than a dedicated server or cloud environment, there is a reasonable chance it lives on a cPanel-managed host. WHM (Web Host Manager) sits above cPanel and gives the hosting provider root-level control over the entire server, including every site that server hosts.
The scale here matters. Industry figures cited by multiple security researchers put cPanel's share of the control panel market at roughly 94%, with somewhere north of 70 million domains running on cPanel infrastructure globally. A Shodan query referenced in Rapid7's advisory returned approximately 1.5 million cPanel instances directly exposed to the internet. The point is not to generate alarm at a large number — it is that the software is so embedded in shared hosting infrastructure that many organisations have cPanel-managed applications they have not thought about in years, run by IT staff who have left, or maintained by an agency whose retainer ended long ago.
The vulnerability: no credentials needed
CVE-2026-41940 was assigned a CVSS score of 9.8 — effectively the ceiling for a remotely exploitable network vulnerability — and the score is accurate. The flaw is an authentication bypass in the login and session handling of cPanel's service daemon, cpsrvd. Before authentication completes, cpsrvd writes a session file to disk. The vulnerability allows an attacker to inject crafted content into that file using a CRLF injection technique (inserting carriage return and line feed characters — the standard line-break sequence in HTTP headers — to break the expected file format) through a malicious HTTP authorisation header. Because the system does not sanitise that input before writing, an attacker can insert session properties like user=root into the file. When cpsrvd reloads the session, those injected properties are treated as legitimate, and the attacker's token is promoted to a fully authenticated administrator session — bypassing both the password and two-factor authentication gates entirely.
The attack requires no existing credentials, no social engineering, and no foothold inside the network. It is a handful of HTTP requests against an internet-exposed port.
A zero-day that ran for months
cPanel shipped emergency patches on 28 April 2026. By that date, exploitation was already well underway. Managed hosting provider KnownHost reported that exploitation attempts had been observed as early as 23 February 2026 — roughly two months before any patch was available. Security firm watchTowr, which published the full technical analysis and a proof-of-concept exploit the day after disclosure, described the vulnerability as having been used as a zero-day against the management plane of a significant portion of the internet. CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog within days of disclosure. The Shadowserver Foundation reported seeing 44,000 unique IP addresses scanning, running exploits, or conducting brute-force attacks against their honeypot sensors.
More recently, BleepingComputer reported that the flaw is now being mass-exploited to deploy a Go-based Linux encryptor in ransomware campaigns identified as "Sorry" ransomware. Ransomware operators have moved quickly from opportunistic scanning to weaponised deployment.
What a successful attacker can do
Compromise of WHM is effectively compromise of the host. From an authenticated administrator position, an attacker can create backdoors and web shells that persist through reboots, redirect visitors from legitimate websites to malicious destinations, access and exfiltrate databases including customer data and credentials, and use the server's mail infrastructure to send phishing or spam at volume. On shared hosting, a single vulnerable WHM instance can expose every site the host manages — not just the application the attacker initially targeted, but every other tenant on that server.
The Australian position
ACSC's advisory confirms active exploitation against Australian targets and recommends organisations review their environments for vulnerable cPanel and WHM versions, assess whether the management interface needs to remain internet-facing, apply available patches promptly, and monitor for suspicious activity. The vendor has published an indicator of compromise detection script through its support portal.
The affected version range is broad: all cPanel and WHM versions after 11.40, which was released in 2013. If your organisation has any cPanel-managed infrastructure, you should assume it falls within scope until you verify the patch status against the fixed versions in the cPanel security advisory. The fixed versions begin at 11.86.0.41 for the 11.86 branch, through to 11.136.0.5 for the current 11.136 branch. WP Squared — a managed WordPress hosting product built on the cPanel platform — is separately patched at version 136.1.7.
Temporary mitigations available before patching include blocking inbound traffic on TCP ports 2083, 2087, 2095, and 2096 at the firewall. This prevents direct access to the cPanel and WHM web interfaces but does not address the underlying vulnerability. Patch; do not rely on port blocking as a long-term control.
The ad hoc application problem
The concern we consistently raise with clients — and the angle that most of the international coverage has missed — is not the well-maintained production environment. Organisations with active IT teams and regular patching cycles will close this quickly. The exposure that runs longer sits in a different category: the cPanel account that was set up three years ago to host a staff directory, a client extranet, a job application form, or an event registration tool. The application may still be live and serving real traffic. It may hold real data — names, contact details, credentials, uploaded documents. But the person who set it up has moved on, the agency that built it is on a different contract, and nobody is responsible for its patch state.
This is not a theoretical risk profile. Shared hosting is cheap, fast to stand up, and administratively convenient. It is also structurally disconnected from the patch management processes that govern production systems. Shared hosting accounts accumulate in organisations the way old email aliases do — set up for a purpose, forgotten when that purpose ends, and still running.
What to do now
The practical steps are not complicated, but they require someone to actually go and look.
Audit: Identify every cPanel or WHM-managed application in your environment. This includes applications managed by third parties — agencies, freelancers, or subsidiaries — where you may not control the hosting account directly. If your web presence involves shared hosting of any kind, confirm the platform and the patch status with the provider.
Patch: If you manage your own cPanel instances, update to a fixed version immediately using the vendor's update script (/scripts/upcp --force), verify the build version, and restart the cPanel service daemon. If you rely on a hosting provider, verify that they have applied the patch — do not assume auto-update has handled it, particularly if the account was set up on a pinned version.
Triage: Run the vendor's IoC detection script against affected instances. Review the session file directory at /var/cpanel/sessions/raw/ for pre-authentication sessions containing unexpected properties. Check WHM for user accounts, SSH keys, or cron jobs that were not there before. Review web server and WHM access logs for the disclosure window from late February to 28 April 2026, with particular attention to requests against login endpoints followed by authenticated API calls from the same source.
Assess the data: If an instance was exposed during the zero-day window and you hold personal information on that server, you need to assess whether a notifiable data breach has occurred under the Privacy Act 1988 (Cth). That assessment starts with what data was accessible, not just whether you can confirm confirmed exfiltration. The OAIC's Notifiable Data Breach scheme applies where there are reasonable grounds to suspect that serious harm to affected individuals could result from the exposure. Unauthorised access to customer databases, credential stores, or personally identifiable information on a cPanel-hosted application will meet that threshold in most cases.
Where we can assist
If your organisation is working through the triage process for a potentially affected cPanel instance, or if you have discovered evidence of compromise and need to assess your obligations under the NDB scheme, Artificer Cyber can assist with both the technical investigation and the legal steps that follow. Our DFIR practice operates across breach discovery, log analysis, and affected-individual notification, and our legal team handles the regulatory side — OAIC engagement, board briefings, and legal professional privilege over the investigation — from the same engagement. Get in touch here.
Threat actors don't pause while you find a firm.
Artificer Cyber maintains active readiness across DFIR, legal privilege, and threat intelligence. When something happens, we're already briefed — and we can be engaged within the hour.