Overview
On 28th April 2026, a critical security vulnerability affecting cPanel and WHM (CVE-2026-41940) was publicly disclosed.
This advisory explains the nature of the vulnerability, the actions we took to secure affected systems, and the steps we recommend customers take to review their own environments.
What is the vulnerability?
This vulnerability affects the authentication mechanism within cPanel and WHM and could allow an unauthenticated remote attacker to gain unauthorised administrative access to the control panel, potentially including root-level access to the underlying server.
The vulnerability carries a CVSS score of 9.8 out of 10 (Critical) and affected all versions of cPanel and WHM prior to the patched releases.
For a full list of affected and patched versions, please refer to the official cPanel security advisory.
Our response
We acted immediately upon public disclosure on 28th April 2026:
- Initial mitigations were applied as soon as the issue became known
- An official patch was released later the same evening and automatically deployed across our infrastructure
- The majority of servers updated without intervention
- Where access permitted, any servers that did not update automatically were manually patched or otherwise secured
- In a small number of cases, access to cPanel ports was temporarily restricted until patching could be completed
Where we have been able to verify patch status, all systems are confirmed as updated.
For servers outside of our direct management, we strongly recommend customers verify their patch status against the cPanel security advisory to confirm they are running a patched version.
Current status and ongoing checks
Following disclosure, reports from some hosting providers suggest this vulnerability may have been exploited prior to the public announcement on 28th April 2026, though the full extent and timeline of any prior exploitation remains unclear.
Post-exploitation activity observed across the wider hosting industry following this disclosure has included the deployment of ransomware, cryptocurrency miners, and persistent backdoors.
We have identified a small number of customer servers within our infrastructure that have been affected by ransomware, and those customers are being contacted directly. We are continuing to carry out thorough checks across all systems as a precaution.
These checks are designed to identify common indicators of compromise; however, they cannot guarantee detection in all scenarios, particularly where activity may have been concealed or removed.
It is also important to note that certain activity within individual hosting accounts, such as uploaded files, may not always be fully visible through platform-level checks alone.
Given that this vulnerability was potentially exploited as a zero-day prior to any public disclosure or patch being available, some activity may have occurred before any provider, including us, could have been aware of or acted upon it.
Recommended actions for customers
As an additional precaution, we recommend customers review their own environments for any signs of unexpected activity.
In particular:
- Review user accounts and access logs within cPanel and WHM, paying particular attention to any activity prior to the patch being applied to your server
- Check for unfamiliar files, including any files with a
.sorryextension which may indicate ransomware activity related to this vulnerability - Check for unfamiliar or unauthorised cron jobs or configuration changes
- Verify any recently added or unfamiliar API tokens in WHM
- Check for any unknown or unauthorised user accounts on the server
- Review SSH authorised keys on all accounts for any unrecognised entries
- Check the sudoers file for any unexpected entries
- Update all passwords (cPanel, WHM, SSH, FTP, and databases)
- Review any recent file uploads or changes within hosting accounts
If anything appears unfamiliar or unexpected, it should be investigated promptly.
If indicators of compromise are found, rebuilding from clean backups is strongly recommended over attempting to clean an affected system.
Support
If you would like assistance reviewing your server or investigating any findings, our support team is available to help.
If you identify any unusual activity, please raise a support ticket and we will prioritise the investigation.
We will continue to monitor the situation and provide updates to this advisory where relevant.
Disclaimer
The information in this advisory is provided in good faith based on information available at the time of writing.
The threat landscape around this vulnerability continues to evolve and we recommend checking back for updates.
Nothing in this advisory constitutes legal or compliance advice. Customers with specific concerns regarding data protection or regulatory obligations should seek independent professional advice.