Over 40,000 Servers Compromised in Ongoing cPanel Exploitation

“44K unique IP number is based on cPanel spike of devices seen scanning/running exploits/brute force attacks against our honeypot sensors,” the organizationsaid.As of May 3, that number has dropped significantly, data from The Shadowserver Foundationshows. Most of the affected systems are in the US, with France and the Netherlands rounding up the top three.Compromised cPanel instancesWith all cPanel versions after 11.40 vulnerable, users are advised to update to a patch release as soon as possible and to follow cPanel’s instructions on identifying and addressing potential compromises.cPanel & WHM versions 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5, and WP Squared version 136.1.7 contain the fixes, cPanel’s updated advisory shows.The US cybersecurity agency CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog on Thursday, urging federal agencies to patch it within four days.Related:Fresh LiteLLM Vulnerability Exploited Shortly After DisclosureRelated:Robinhood Vulnerability Exploited for Phishing AttacksRelated:Recent Microsoft Defender Vulnerability Exploited as Zero-DayRelated:Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access

As of May 3, that number has dropped significantly, data from The Shadowserver Foundationshows. Most of the affected systems are in the US, with France and the Netherlands rounding up the top three.Compromised cPanel instancesWith all cPanel versions after 11.40 vulnerable, users are advised to update to a patch release as soon as possible and to follow cPanel’s instructions on identifying and addressing potential compromises.cPanel & WHM versions 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5, and WP Squared version 136.1.7 contain the fixes, cPanel’s updated advisory shows.The US cybersecurity agency CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog on Thursday, urging federal agencies to patch it within four days.Related:Fresh LiteLLM Vulnerability Exploited Shortly After DisclosureRelated:Robinhood Vulnerability Exploited for Phishing AttacksRelated:Recent Microsoft Defender Vulnerability Exploited as Zero-DayRelated:Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access

With all cPanel versions after 11.40 vulnerable, users are advised to update to a patch release as soon as possible and to follow cPanel’s instructions on identifying and addressing potential compromises.cPanel & WHM versions 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5, and WP Squared version 136.1.7 contain the fixes, cPanel’s updated advisory shows.The US cybersecurity agency CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog on Thursday, urging federal agencies to patch it within four days.Related:Fresh LiteLLM Vulnerability Exploited Shortly After DisclosureRelated:Robinhood Vulnerability Exploited for Phishing AttacksRelated:Recent Microsoft Defender Vulnerability Exploited as Zero-DayRelated:Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access

cPanel & WHM versions 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5, and WP Squared version 136.1.7 contain the fixes, cPanel’s updated advisory shows.The US cybersecurity agency CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog on Thursday, urging federal agencies to patch it within four days.Related:Fresh LiteLLM Vulnerability Exploited Shortly After DisclosureRelated:Robinhood Vulnerability Exploited for Phishing AttacksRelated:Recent Microsoft Defender Vulnerability Exploited as Zero-DayRelated:Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access

The US cybersecurity agency CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog on Thursday, urging federal agencies to patch it within four days.Related:Fresh LiteLLM Vulnerability Exploited Shortly After DisclosureRelated:Robinhood Vulnerability Exploited for Phishing AttacksRelated:Recent Microsoft Defender Vulnerability Exploited as Zero-DayRelated:Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access

Related:Fresh LiteLLM Vulnerability Exploited Shortly After DisclosureRelated:Robinhood Vulnerability Exploited for Phishing AttacksRelated:Recent Microsoft Defender Vulnerability Exploited as Zero-DayRelated:Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access

Related:Robinhood Vulnerability Exploited for Phishing AttacksRelated:Recent Microsoft Defender Vulnerability Exploited as Zero-DayRelated:Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access

Related:Recent Microsoft Defender Vulnerability Exploited as Zero-DayRelated:Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access

Related:Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access

Ionut Arghire is an international correspondent for SecurityWeek.

Source: SecurityWeek