Critical cPanel Auth Bypass CVE-2026-41940 Exploited by Thousands

In the world of Linux server operations and virtual hosting management, cPanel & WHM is a cornerstone technology. However, that cornerstone is currently under a massive, global assault. Security researchers at XLab have issued a high-alert report detailing the active, large-scale exploitation of CVE-2026-41940—a critical authentication bypass vulnerability that has turned thousands of servers into open doors for cybercriminals.

With a CVSS score of 9.8, this vulnerability is as dangerous as it gets. Without providing any account or password, an attacker can remotely bypass authentication and take over the cPanel / WHM control panel, allowing an unauthenticated remote attacker to gain administrator privileges on the affected server.

Since the flaw was publicly disclosed on April 28, 2026, XLab’s Cyber Threat Insight and Analysis System (CTIA) has witnessed an explosion of malicious activity. This isn’t the work of a single group; it is a coordinated “feeding frenzy” involving various black and gray market actors.

Monitoring data currently tracks more than 2,000 unique source IPs worldwide involved in automated attacks. While the attacks are truly global, the primary concentrations of malicious traffic originate from Germany, the United States, Brazil, and the Netherlands. Hackers aren’t just looking for data; they are weaponizing the breached servers for “mining, ransomware, botnet propagation, backdoor implantation, and many other malicious activities”.

The real-world consequences of this bypass are already coming to light. On May 2, a major security incident was confirmed where hackers successfully utilized CVE-2026-41940 to breach Southeast Asian government and military institutions. The cost of that breach was the theft of approximately 4.37 GB of highly sensitive files.

XLab’s investigation also uncovered a specific actor, designated Mr_Rot13, who appears to be heavily targeting WordPress installations via this bypass. The researchers discovered a sophisticated PHP backdoor being implanted on compromised systems.

While the researchers tracked the backdoor’s traffic for several days, the threat actor’s discipline made full analysis difficult.

“We continuously tracked it for several days, but unfortunately, we never received a valid response from the C2, so we were unable to decrypt the RC4-encrypted payload in the sample… However, it is certain that WordPress is undoubtedly one of Mr_Rot13’s key targets.”

The speed of this campaign—moving from disclosure to thousands of active, automated attackers in just days—highlights the extreme risk facing unpatched Linux servers. Because the exploit requires zero authentication, it is the perfect tool for initial access brokers and state-sponsored groups alike.

Administrators using cPanel & WHM are urged to audit their logs for any unauthorized access since late April and ensure their control panels are updated to the latest secure version immediately.