cPanel zero-day (CVE-2026-41940) exploited since February before emergency patch — CISA adds to KEV catalog

Tags Security · Infrastructure · Enterprise

A critical authentication bypass vulnerability in cPanel/WHM (CVE-2026-41940) has been exploited in the wild since at least February 23, 2026, potentially much earlier, before cPanel issued an emergency patch on April 28. The vulnerability was discovered and disclosed by watchTowr security researchers. CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog on April 30, ordering federal agencies to patch. cPanel also released an emergency compromise-detection script for customers. cPanel powers millions of web hosting accounts globally, meaning the months-long exploitation window likely compromised thousands of hosting providers and their customers. For security teams, this is a reminder that widely deployed control-panel software can be a high-value, low-visibility attack surface.