Overview
- Shadowserver data shows today’s activity is well below the early surge, with roughly 2,000 likely compromised cPanel hosts compared with about 44,000 seen during the first spike.
- CISA, which added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog on Thursday, ordered federal agencies to patch within four days.
- The vulnerability is an authentication bypass that injects crafted authorization values into a pre-login session file and then reloads it to grant administrator access without a password.
- Attackers are using the access for different outcomes, including a Linux ransomware that leaves .sorry file extensions, Mirai-based botnets and cryptominers on servers, and an espionage campaign against Southeast Asian government and MSP networks.
- cPanel has released fixed builds and updated its detection script, and administrators are urged to patch, audit session logs and WHM accounts for tampering, and rebuild from clean backups if they find signs of compromise.