CISA Adds cPanel Authentication Bypass CVE-2026-41940 to KEV After 44,000 IPs Exploit Zero-Day

CISA added CVE-2026-41940, a critical (CVSS 9.8) authentication bypass in cPanel & WHM, to its Known Exploited Vulnerabilities catalog on April 30 after hosting provider KnownHost confirmed active zero-day exploitation dating to at least February 23. Shadowserver detected roughly 44,000 unique IPs scanning and exploiting the flaw on April 30 alone, with about 1.5 million internet-exposed cPanel instances at risk. Ctrl-Alt-Intel documented a targeted campaign using the bug against Philippine and Laotian government/military domains. cPanel released patches on April 28 across six supported version lines.