44,000 IPs Hijacked: cPanel’s 9.8 CVSS Authentication Bypass Triggers Global Ransomware Surge
Ddos 
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning, adding a critical vulnerability in WebPros cPanel & WHM to its Known Exploited Vulnerabilities (KEV) Catalog. The flaw, designated CVE-2026-41940, carries a CVSS severity score of 9.8 and allows attackers to bypass authentication for critical functions.
Evidence of active exploitation is mounting. The Shadowserver Foundation reported a massive surge in attacks, noting that at least 44,000 IP addresses associated with cPanel instances are likely compromised and have been seen scanning honeypots as of late April.
While there are approximately 1.5 million cPanel instances exposed to the internet, the number of active infections is rising sharply. Data from Censys reveals a dramatic shift that occurred on May 1, 2026:
- The May 1st Spike: Net new maliciously classified hosts increased by roughly 19,000 in a single day.
- cPanel’s Role: Over 15,000 of those new malicious hosts were cPanel systems, accounting for nearly 80% of the daily surge in global malicious activity.
The vulnerability stems from a Carriage Return Line Feed (CRLF) injection within the login and session loading processes. This flaw allows an attacker to log into the system without validating a password, effectively granting them administrator access to the website backend, webmail, and databases.
The consequences of a successful exploit are severe. Once an attacker gains access, they can control everything in the hosting account, from sensitive files to email databases. Recent observations suggest the vulnerability is being leveraged for two primary purposes:
- Ransomware Activity: Censys analysts discovered roughly 7,000 servers where files were renamed with a “.sorry” suffix—a hallmark of the Sorry Ransomware (Hidden-Tear variant).
- Botnet Expansion: Unverified reports suggest the flaw is being used to deploy a variant of the Mirai botnet named “nuclear.x86”. An attacker gaining access to cPanel can control everything present in the hosting account, from websites and data to email. They can use the access to plant backdoors or web shells, redirect users to malicious locations, or steal sensitive files.
WebPros has released an emergency update to address the flaw. Because of the critical nature of the exploit, administrators are advised not to wait for standard automated cycles.
How to Secure Your Server:
- Run the Force Update: Administrators should manually execute the command /scripts/upcp-force. This forces the cPanel update process to run even if the system believes it is already on the latest version.
- Verify the Version: Ensure your installation is running one of the patched versions, such as 11.136.0.5, 11.132.0.29, or 11.126.0.54.
- Unsupported Versions: Servers running unsupported versions of cPanel are ineligible for security updates and must be upgraded to a supported version immediately.
Federal Civilian Executive Branch (FCEB) agencies have been ordered by CISA to remediate this flaw by May 3, 2026. Given the speed at which this botnet and ransomware wave is moving, private sector administrators are encouraged to follow the same strict deadline.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
