A critical security vulnerability in cPanel and WebHost Manager is drawing urgent attention across the web hosting industry, and the timeline makes it considerably more alarming than a typical software disclosure. While the flaw only recently became public knowledge, KnownHost CEO Daniel Pearson confirmed that his company found exploitation attempts stretching back to February 23, meaning hackers had months of quiet activity before anyone raised the alarm publicly.
The vulnerability, tracked as CVE-2026-41940, lets malicious hackers remotely bypass the login screen for cPanel and WHM’s administration panel entirely, gaining unrestricted access to the server management software without needing valid credentials.
Given that cPanel and WHM handle website files, email configurations, databases, and domain settings for tens of millions of website owners globally, the potential exposure runs well beyond individual servers. Shared hosting environments carry particular risk, since a single compromised server can affect large numbers of customers simultaneously.
Canada’s national cybersecurity agency described exploitation as highly probable and called for immediate action from anyone running cPanel, either directly or through their web hosting provider. Several major hosting companies moved quickly once the flaw surfaced. Namecheap temporarily blocked customer access to cPanel panels to prevent exploitation while deploying patches across its infrastructure. HostGator classified the issue as a critical authentication-bypass exploit and confirmed its teams patched all systems promptly. KnownHost identified around 30 servers showing signs of unauthorized access attempts out of thousands on its network, though Pearson noted these appeared to be attempts rather than confirmed compromises.
cPanel released patches covering all supported versions of the software and urged customers to confirm their systems carry the update. The company also pushed a security fix for WP Squared, a related tool for managing WordPress websites that shares similar underlying architecture.
The months-long gap between the earliest known exploitation attempts and public disclosure is the detail that should concern hosting providers and their customers most. Attackers who knew about an unpatched authentication bypass in one of the web’s most widely deployed management platforms had significant time to probe, test, and potentially access servers before defenders could respond.
Security researchers note that this kind of quiet pre-disclosure exploitation period often results in compromises that organizations only discover weeks or months later during unrelated investigations. For anyone running cPanel who has not yet confirmed their patch status, that window makes urgency the only appropriate response right now.
