The cPanel and WHM authentication bypass tracked as CVE-2026-41940 has reached a scale that demands attention from anyone whose business depends on hosted infrastructure. Shadowserver telemetry counts more than 40,000 servers compromised since the patch released on April 28, and the curve is still climbing. The flaw allows an unauthenticated remote attacker to obtain full administrative access to the cPanel or WHM interface, which in practical terms means complete control of every site, database, and mailbox hosted on the affected server. According to Innovate Cybersecurity Top 10 (June 1, 2026).
cPanel is the dominant control plane for shared and reseller hosting. It is used by hosting providers serving banks, healthcare providers, government agencies, and many millions of small businesses. The flaw does not care about the tenant. Once the control plane is compromised, every customer on that server is compromised, and the attacker can read or modify any file, change any DNS record, or intercept any email. For larger enterprises that have moved core workloads to cloud platforms, the temptation is to dismiss this as a small-business problem. That dismissal is wrong, because the same enterprises continue to use shared hosting for campaign sites, agency-built microsites, legacy brochureware, and acquired properties that were never migrated.
The exploitation pattern follows a familiar arc. cPanel published the advisory and patch on April 28. Within a week, proof of concept exploits circulated on private channels. By mid-May the first opportunistic scanning began, and by late May the attacks had industrialised. Shadowserver's number is a snapshot, not a ceiling. The eventual count will be higher because many smaller hosting providers do not have the operational capacity to patch within thirty days, and because cPanel updates often require a maintenance window that small operators schedule monthly rather than weekly.
The downstream impact is the harder problem. When a hosting server is compromised, attackers typically do three things in sequence. They install a web shell for persistent access, they harvest credentials from every database and configuration file on the server, and they inject malicious content or redirects into customer websites for monetisation. The injected content is often subtle, designed to evade casual review, and is typically aimed at SEO poisoning, cryptocurrency wallet draining, or credential phishing targeted at the customer's own users. The compromise is rarely visible to the customer until the search engines start flagging the site.
For operators such as MediaMarktSaturn and REWE digital, the relevance is in the long tail of digital properties. Big retailers carry dozens of acquired brands, regional microsites, and campaign-specific landing pages, many of which were built by agencies and parked on shared hosting. A compromised landing page that quietly redirects to a phishing site is brand damage measured in lost trust, not in stolen bytes. We recommend a fast inventory of every domain the organisation owns, a check of the hosting provider behind each one, and a written request to each provider confirming the patch status of cPanel and WHM. The exercise will surface forgotten domains, which is itself useful.
The structural fix is to reduce the number of cPanel-hosted properties in the estate. Static site generators and serverless hosting platforms have matured to the point where most marketing and microsite use cases no longer need a full hosting control plane. Migrating away from shared hosting removes an entire class of supply chain risk. It also makes the next cPanel vulnerability someone else's problem. The migration cost is real but bounded; the recurring cost of monitoring and incident response on hosted estate is harder to predict and tends to grow.
There is also a regulatory angle worth flagging. Hosting providers that operate within the EU and qualify as essential or important entities under NIS2 are obligated to maintain timely patching and to notify their downstream customers of material incidents. Customers should know the regulatory posture of their hosting provider and should be ready to invoke contractual rights to information when an incident affects shared infrastructure. The legal teams should have template letters ready; drafting under time pressure during an incident is not a good look.
In the meantime, the immediate action is to demand evidence. Hosting contracts rarely include patch SLAs, and providers rarely volunteer their patch status. A direct written request, escalated to the account manager if needed, will either produce confirmation or expose a partner that needs to be replaced. Either outcome is better than waiting to see our company name in a Shadowserver list.
The cPanel flaw also illustrates why CISA's KEV catalog, useful as it is, does not capture the full risk picture. KEV focuses on vulnerabilities that affect federal systems. Hosting platform flaws fall outside that scope, even when they compromise tens of thousands of servers. European operators should not wait for CISA or ENISA to validate severity. Shadowserver, the Spamhaus project, and independent threat intelligence vendors are publishing the data in real time, and the data is unambiguous.
