Hackers Exploit cPanel and WHM Software (CVE-2026-41940)
Kanako Mita, Sawako Utsumi, and Lee Jay Walker
Modern Tokyo Times
A major cybersecurity breach linked to cPanel and Web Host Manager (WHM) escalated rapidly last week, after hackers exploited a critical vulnerability that allowed administrative takeover of affected systems.
The flaw — identified as CVE-2026-4190 — prompted an urgent warning from the Cybersecurity and Infrastructure Security Agency (CISA), which called for the immediate patching of government servers and other critical infrastructure. Officials warned that the vulnerability posed a severe risk due to the level of access it granted attackers.
Investigations suggest the breach may have begun earlier this year, before intensifying sharply following public disclosure. At least 40,000 servers are believed to have been fully compromised, with attackers gaining root-level administrative control. Such access effectively allowed threat actors to seize configurations, databases, and all websites managed through the impacted platforms.
Security Week reported, “CVE-2026-41940 was likely exploited as a zero-day since late February, with activity spiking after the public disclosure and after the threat intelligence firm WatchTowr published technical details.”
The architecture of the affected software significantly amplified the impact. As Bleeping Computer noted, “WHM and cPanel are Linux-based web hosting control panels for server and website management. While WHM provides server-level control, cPanel provides administrator access to the website backend, webmail, and databases.”
Within days, the scale of the incident widened further, with reports indicating that at least 44,000 IP addresses had been compromised in connection with the breach.
No single perpetrator has been identified. Instead, multiple threat actors appear to have exploited the vulnerability concurrently. Observed activity includes deployments of the “Sorry” ransomware strain, operations linked to the Mirai botnet, and indications of cyber-espionage campaigns targeting parts of Southeast Asia.
The speed and scope of the compromise — particularly the rapid acquisition of root-level control across thousands of servers — caught many in the cybersecurity community off guard. In response, major hosting providers, including HostGator and KnownHost, implemented emergency measures to mitigate the damage.
Although patches have since been released by cPanel and WHM, the full extent of the breach remains unclear. The incident underscores the systemic risks posed by vulnerabilities in widely used hosting infrastructure — and the speed at which such weaknesses can be weaponized once exposed.
MODERN TOKYO TIMES – MODERN TOKYO NEWS – please check https://moderntokyonews.com
Please check Modern Tokyo News at https://moderntokyonews.com for articles going back over 10 years. Sadly, Modern Tokyo Times got hacked and lost 14 years of articles…
Modern Tokyo News is part of the Modern Tokyo Times group
http://moderntokyotimes.com Modern Tokyo Times – International News and Japan News
http://sawakoart.com – Sawako Utsumi’s website and Modern Tokyo Times artist
https://moderntokyonews.com Modern Tokyo News – Tokyo News and International News
PLEASE JOIN ON TWITTER
https://twitter.com/MTT_News Modern Tokyo Times
