Urgent: Critical cPanel Vulnerability (CVE-2026-41940)

cPFence

Heads up to anyone still running cPanel servers

There’s a critical vulnerability (CVE-2026-41940) affecting cPanel & WHM that allows unauthenticated attackers to bypass login and gain full admin access. It’s rated very high severity (CVSS 9.8) and is already being actively exploited in the wild.

This one is serious, if your server is exposed, it can lead to full compromise (sites, databases, everything).

Update immediately to the latest patched version.

Don’t rely on temporary mitigations, patching is strongly recommended.

More info:
https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026

Vory

yup we had three servers hit. It looks like they try and set up an api token so if compromised, password change alone is not enough.

cPFence

Vory

Yeah, same here. We got hit today, but thankfully we had API token notifications enabled, so one of our admins caught it and revoked the token immediately.

Vory

List of IPs involved in the attack on our servers. You might wanna add these to your deny list:

Primary attacker

80.75.212.14

Secondary attackers

68.233.238.100
51.89.19.199

LeakIX scanners

206.81.12.187
157.230.19.140
146.190.63.48
147.182.149.75
165.22.34.189
68.183.9.16
123.100.137.14

Additional attackers

143.244.146.216
146.19.216.120
69.12.74.138
82.29.54.140
23.180.120.132

cPFence

Vory

Makes sense. Most of these IPs are already blacklisted in cPFence IPDB, except a few. The shared hosting industry was hit pretty hard with this cPanel breach, and we’re aware of several major providers that were impacted.

adamx12

We had server impacted by this it pretty much destroyed everything. After access was breach they encrypted all the website files and append .sorry to them. This included cpanel files, backup files, just everything to make website unusable. Key thing here is have an offsite backup for websites and databases.

Omar

Adding IOCs from our investigation — 4 compromised cPanel servers
We had 4 cPanel servers hit in this campaign. Sharing our forensic findings to complement what's already in this thread.

Malware delivery host
87.121.84.78 — Served nuclear.x86 ELF binary. Confirmed part of the CVE-2026-41940 exploit campaign.

C2 / Persistence
165.154.199.52 — C2 server (resolved to 0xa59ac734). Dropper source + daily callback via installed backdoor at /etc/cron.daily/cpanel_sync. If you were compromised, check for this cron entry immediately — password reset alone is not sufficient.

Session injection / WHM root access
68.233.238.100 — Already listed above by @Vory We can confirm: used for unauthenticated session injection leading to direct WHM root access. Aligns with the API token persistence vector mentioned by @cPFence .

SorryLock ransomware delivery
68.183.190.253 — Delivered the SorryLock payload disguised as fav.ico. This is likely the vector @adamx12 experienced with .sorry extensions. The file masquerades as a favicon to bypass naive file-type checks.

Summary of persistence mechanisms we found:

Rogue WHM API tokens (as noted above)
/etc/cron.daily/cpanel_sync backdoor calling back to 165.154.199.52
Ransomware payload dropped as fav.ico before execution

Recommend checking all three on any server that was exposed, even if you think it was caught early.