Overview
The past week or so has provided a timely reminder of the importance of keeping server software up to date, with major vulnerabilities announced affecting the Linux kernel, the Apache web server, the Exim MTA, and most notably, cPanel/ WHM. Each of these vulnerabilities are serious in nature and could be utilised by an attacker to gain full administrative control of an affected server. Combined with the recent press around the hacking capabilities of Anthropic’s new mythos AI model, this serves as a compelling case for treating software updates not as optional maintenance, but as an essential ongoing security responsibility.
The vulnerabilities in brief
CVE-2026-41940: cPanel and WHM Authentication Bypass (Critical)
As covered in our separate advisory on the cPanel security advisory for CVE-2026-41940, this vulnerability allows an unauthenticated remote attacker to bypass the login process in cPanel and WHM entirely and gain root-level access to the server without any credentials. It affects all versions of cPanel and WHM prior to the patched releases, and some hosts have suggested they have evidence that it was exploited in the wild for some time before the patch was released on 28th April 2026. Ransomware, cryptocurrency miners, and persistent backdoors have all been deployed by attackers exploiting this vulnerability across the hosting industry.
CVE-2026-23918: Apache HTTP Server Remote Code Execution (High)
This vulnerability affects servers running Apache HTTP Server version 2.4.66 with HTTP/2 enabled. A flaw in how the server handles certain network requests could allow an attacker to execute malicious code on the server remotely, without needing valid credentials or prior access. Apache is one of the most widely deployed web servers in the world, making the potential reach of this vulnerability significant. Users should upgrade to version 2.4.67, which resolves the issue.
CVE-2026-31431: Linux Kernel Privilege Escalation, “Copy Fail” (High)
This vulnerability affects virtually every major Linux distribution running a kernel released since 2017, and a working exploit is publicly available. Unlike the other two vulnerabilities, it cannot be exploited remotely on its own as an attacker first needs some level of local access to the server. However, once that access exists, an unprivileged user can exploit this flaw to gain full root access within seconds. A kernel update is required to resolve this, which on most distributions will also require a server reboot to take effect.
Multiple CVEs: Exim MTA
Multiple security vulnerabilities were reported for the Exim MTA, used by several hosting control panels including cPanel/WHM. Exim versions prior to 4.99.2 are affected. CVE references are CVE-2026-40684, CVE-2026-40685, CVE-2026-40686, and CVE-2026-40687. If you’re running cPanel, you should update as soon as possible.
Why vulnerabilities matter together
Each of these vulnerabilities is serious in its own right, but when you consider how many attacks work in practice, it becomes clearer why action needs to be taken to patch these vulnerabilities quickly.
Vulnerabilities that get an attacker direct to root from nothing with a simple script (like cPanel CVE-2026-41940) are thankfully rare.
In the absence of these type of vulnerabilities, attackers will attempt to combine multiple vulnerabilities together, to deliver the same outcome.
So if we’re looking at these vulnerabilities as an example, an attacker may potentially leverage the Apache vulnerability to gain limited initial access to a server, and then use the Copy Fail kernel vulnerability to escalate that access to full root. Hence, a server running both unpatched Apache and an unpatched kernel may be exposed to a complete remote-to-root compromise via this combination. (note, this is just an example to illustrate how attackers may chain multiple exploits together)
Why escalation of privilege vulnerabilities are more of a concern for hosting customers
Hosting resellers, web agencies, and smaller control panel operators often grant their customers limited access to their server or control panel to administer their websites. This access is completely legitimate, and often necessary for business operations, but in that context, escalation of privilege vulnerabilities like Copy Fail may be exploitable without the requirement to use another exploit to gain that foothold in the system. So in the case of Copy Fail and a server running an unpatched kernel, a user with limited SSH access, (which is not an uncommon scenario in the hosting industry) may be able to exploit this vulnerability and escalate their privileges to root, taking control of the entire server and all the accounts hosted on it.
What we recommend
If you manage your own VPS or dedicated server, we recommend the following actions.
Hosting Control Panels
If you are running a control panel, ensure that auto-updates are turned on and that they are working. This should be configured to update both the control panel software itself, and the software on the underlying server.
Server updates
If you are not running a control panel, you should configure automatic/unattended updates on your server. Check regularly that they are working as expected.
Linux kernel updates
Kernel updates require a reboot to take effect. Whilst customers rarely wish to incur downtime while their server reboots, the risk of running an unpatched kernel containing security vulnerabilities will more than likely exceed the operational risk of incurring a server reboot. If you aren’t comfortable with automating server reboots and/or kernel updates, then you will need to reliably do this yourself on a regular basis, and/or look at solutions such as KernelCare, which provide live kernel security patching across a range of popular Linux distributions. (Reboots with kernel care are still required, but they should be less frequent)
Backups
Make sure you take proper backups that meet your business requirements. No strategy is bullet proof, and even well-maintained servers can be hit by vulnerabilities that were not publicly known about at that time. In the case of CVE-2026-41940, the ability to restore from a good clean backup was the difference between a manageable incident and something far more serious for many hosting customers. Restoring from a known good backup is often the safest and quickest recovery path when a server has been compromised.
How we can help
Whether you’re an existing customer, or a new customer looking to upgrade to a managed hosting service, our team are here to help.
We offer a fully managed VPS solution based on Enhance Control Panel that has automatic updates, including kernel updates, and backups included as standard. So you cover all of the pain points with none of the associated hassle. Enhance itself is written in memory-safe Rust, and it is estimated that 70% off all serious security bugs are memory safety issues.
If you’re prefer to stick with cPanel or Plesk though, we have various solutions available based on those control panels too, (including KernelCare) that you can combine with our standard Acronis Cyber Protect Cloud backup plans to deliver a comparable level of service.
Or if you just want backups we can do that too – even if your regular service is hosted with another provider.
The information in this article is provided for general guidance based on publicly available information at the time of writing. Vulnerability details and patch availability continue to evolve. Nothing in this article constitutes legal or compliance advice. Customers with specific security concerns should seek independent professional advice.
