Critical cPanel Authentication Bypass (CVE-2026-41940) Weaponized Against Government and MSP Networks

A critical authentication bypass vulnerability in cPanel/WHM (CVE-2026-41940, CVSS 9.8) is being actively exploited by multiple threat actors against government and military entities in Southeast Asia, as well as MSPs and hosting providers in the Philippines, Laos, Canada, South Africa, and the US. Over 40,000 servers have been compromised, with 4GB of sensitive data stolen from at least one military server. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on April 30 with a remediation due date of May 3. Approximately 1.5 million cPanel instances are internet-exposed, putting an estimated 70 million websites at risk. A weaponized PoC called 'cPanelSniper' was publicly released.