cPanel authentication bypass CVE-2026-41940 actively exploited against government and MSP networks

CISA added CVE-2026-41940, a critical CVSS 9.8 authentication bypass in cPanel and WHM, to its Known Exploited Vulnerabilities catalog on April 30 with a remediation deadline of May 3 for federal agencies. The vulnerability, which allows unauthenticated attackers to gain root access via CRLF injection in session handling, has been actively exploited since February 23 — a true zero-day for approximately two months before patching. Research suggests up to 44,000 cPanel installations may be compromised, with approximately 1.5 million internet-exposed instances identified via Shodan.