Over 40,000 Servers Compromised in Ongoing cPanel Exploitation
Summary
Over 40,000 servers are reportedly compromised due to ongoing exploitation of cPanel. The attacks are believed to target CVE-2026-41940, a recently patched zero-day vulnerability that grants administrative access.
IFF Assessment
This is bad news for defenders as it indicates a widespread compromise of servers due to an exploited vulnerability.
Severity
Given the vulnerability allows administrative access and targets a widely used server management panel, it is highly exploitable and has a critical impact. A CVSS score of 9.8 (Critical) is appropriate, reflecting the potential for widespread unauthorized control.
CISA KEV: Listed as actively exploited. Federal patch due: May 03, 2026. Known ransomware use: Unknown.
Defender Context
This widespread exploitation highlights the critical need for timely patching of server management software like cPanel. Defenders should prioritize patching this vulnerability and monitoring for signs of compromise on their cPanel instances. The fact that it's a zero-day exploit, even if recently patched, underscores the importance of rapid incident response and vulnerability management.