A zero-day vulnerability in cPanel, designated CVE-2026-41940, has been actively exploited in the wild for months before a patch was released, according to Help Net Security reporting. CISA has now added it to its Known Exploited Vulnerabilities catalog—the federal registry of flaws under active attack.
The scope is significant: The Shadowserver Foundation reports 44,000 unique IP addresses actively scanning, running exploits, or conducting brute-force attacks against honeypot sensors. The same foundation identifies approximately 650,000 IP addresses hosting exposed cPanel/WHM instances, creating a large attack surface.
Why this matters: cPanel is foundational infrastructure for web hosting providers and small-to-medium business servers. A months-long exploitation window before patching means adversaries have had extended access to potentially thousands of hosting accounts and the data they contain. The 650K exposed instances suggests many administrators may not yet be aware their systems are vulnerable or visible to attackers.
The scale of active scanning (44K IPs) indicates this is not a theoretical risk—exploitation is happening now. For preppers and small business operators, this signals a cascading risk: compromised hosting accounts can lead to data theft, ransomware deployment, website defacement, or use as a staging ground for lateral network attacks.
What to watch: Monitor whether exploit code becomes more widely available or if attack volume accelerates. If you operate web hosting or manage cPanel/WHM instances, priority actions are verification of patch status and review of access logs for signs of unauthorized activity during the exploitation window. For those dependent on hosted services, this is a reminder that your security posture depends partly on your provider's patch velocity—information worth confirming directly with your host.
