🚨 Active Exploitation of cPanel/WHM Vulnerability (CVE‑2026‑41940)

A recently disclosed security vulnerability affecting cPanel and WHM (CVE‑2026‑41940) is currently under active exploitation. Given that cPanel powers a significant portion of global websites, this critical vulnerability presents a significant risk to organisations and businesses that rely on cPanel‑based hosting.

If your organisation uses cPanel or WHM, here’s what you need to know — and the steps you should take to protect your environment.

What You Should Do Immediately

• Review your current cPanel/WHM version - Check whether your environment is running a vulnerable version. The official advisory lists all patched versions.

• Run the vendor‑provided detection script - This official script helps identify whether your system shows signs of compromise.

Mitigation

If you are unable to apply the patch right away, the following vendor-recommended measures should be taken to mitigate the risk:

• Restrict access to cPanel/WHM interfaces - Limit access to ports 2083, 2087, 2095 and 2096 to required networks only.

• Disable service subdomains, if they are not required.

• Continuously monitor for unusual activity - Use the detection script alongside your existing monitoring and logging tools.
  

Alternatively, consider temporarily stopping the cpsrvd and cpdavd services where practicable.

Resolution

• Update to a patched version of cPanel/WHM as soon as possible - All patched versions are listed in the official advisory.

• Re‑run the detection script after updating - This helps confirm that no compromise occurred before the patch was applied.

Need Assistance?

If you have questions or need help assessing your environment, please feel free to contact us using our contact form. We’re here to support organisations in understanding and addressing this risk.