Critical cPanel authentication bypass CVE-2026-41940 mass-exploited across 1.5M servers

A critical authentication bypass in cPanel & WHM (CVE-2026-41940, CVSS 9.8) is being actively exploited by multiple threat actors including the Sorry ransomware group, with exploitation dating back to at least February 23, 2026 -- two months before cPanel's emergency patch on April 28. The flaw allows unauthenticated remote attackers to gain root-level WHM access via CRLF injection combined with an encryption-skip from a malformed cookie. CISA added it to its Known Exploited Vulnerabilities catalog on April 30, requiring federal agencies to patch by May 3. Shodan shows approximately 1.5 million internet-exposed cPanel instances at risk. Major hosting providers including Namecheap, KnownHost, HostPapa, and InMotion preemptively blocked TCP/2083 and TCP/2087 ports. Shadowserver observed 44,000 compromised IPs on April 30, dropping to 3,540 by May 3.