Rapid7 has published an emergent threat response on a vulnerability affecting cPanel & WHM and WP Squared, warning it has been observed being exploited in the wild.
The issue, tracked as CVE-2026-41940, is described as an authentication bypass affecting web management panel software that is broadly exposed to the public internet. WHM provides root-level administration, while cPanel is the user-facing interface.
According to Rapid7, successful exploitation could allow an attacker to take control of the cPanel host system, including configurations and databases, and the websites it manages.
Rapid7 also noted the potential scale of exposure, stating that a Shodan query for potential targets returns approximately 1.5 million cPanel instances exposed to the internet that may be vulnerable.
Rapid7’s advisory, including technical details, is available at: https://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass/
