cPanel authentication bypass exploited in wild since February
Critical vulnerability CVE-2026-41940 in cPanel, WHM, and WP Squared is under active exploitation with public proof-of-concept code now available.
A critical authentication bypass vulnerability in cPanel and Web Host Manager (WHM) has been exploited as a zero-day since late February, according to BleepingComputer. The flaw, tracked as CVE-2026-41940, also affects WP Squared and allows attackers to circumvent authentication controls.
The vulnerability has been actively leveraged in attacks for at least two months before public disclosure. Proof-of-concept exploit code is now publicly available, lowering the barrier for additional threat actors to weaponize the flaw.
cPanel and WHM are widely deployed control panel systems used by hosting providers and enterprises to manage web servers, domains, and email accounts. An authentication bypass in these platforms grants attackers administrative access to server infrastructure, customer data, and hosted websites. WP Squared, a WordPress management tool integrated with cPanel, is similarly affected.
- 01Hosting providers and enterprises using cPanel must patch immediately or face administrative takeover.
- 02Customers of affected hosting providers may experience data exposure or service disruption.
- 03Public PoC availability will accelerate exploitation attempts across unpatched infrastructure.
Ransomware attack executed entirely by AI agent, researchers report
JadePuffer operation marks what may be the first documented case of a fully autonomous LLM-driven ransomware deployment from reconnaissance to encryption.
Agentic AI Executes Multi-Stage Ransomware Attack via Langflow
Demonstration shows large language model agents autonomously combining exploitation techniques with real-time reasoning to conduct complex intrusions without human intervention.
FortiBleed Attackers Monetize Firewall Access Through Ransomware Partnerships
Actors who compromised thousands of Fortinet devices are now collaborating with Inc and Lynx ransomware groups, adding Nextcloud exploitation to their toolkit.