Federal agencies face a May 3rd deadline to address a critical security flaw impacting a widely used system for server and website management. **Urgent Patch Required for cPanel & WHM** **CISA** has ordered all federal agencies to patch **CVE-2026-41940**, a high-severity vulnerability in **cPanel & WHM**. This Linux-based tool, owned by **WebPros International**, is a popular web hosting control panel suite used to manage millions of domains. **Severity and Impact** According to incident responders at **Rapid7**, successful exploitation of **CVE-2026-41940** grants an attacker complete control over the **cPanel** host system, including its configurations, databases, and managed websites. The vulnerability boasts a CVSS score of 9.8 out of 10, indicating its critical nature. Experts warn that attackers could leverage this bug to fully compromise servers, steal sensitive data, manipulate hosted content, and cause significant service disruptions. **Exploitation in the Wild** Multiple cybersecurity firms have reported the existence of vulnerable **cPanel** instances exposed to the internet. **CISA** confirmed on Thursday that the vulnerability is actively being exploited. Alongside patches, **cPanel** has released a tool to help organizations determine if they have been compromised. **Discovery and Response** The vulnerability was initially highlighted by cybersecurity experts at **watchTowr**, who also released a tool to help defenders identify vulnerable hosts. Evidence suggests the bug has been exploited since February. **Industry Response** U.S. domain name registrar **Namecheap** issued an advisory warning customers that measures to address the vulnerability might temporarily restrict access to their **cPanel** and **WHM** interfaces. According to **Benjamin Harris**, CEO of **watchTowr**, many major hosting providers, including Hosting.com, **Namecheap**, KnownHost, HostPapa, and InMotion, implemented emergency measures to protect their customer base from widespread compromise. "Hosting.com, Namecheap, KnownHost, HostPapa, InMotion and the rest all pulled the emergency brake because the alternative was watching their entire customer base get owned in real-time," Harris said. "Once again, we’re running around with half the Internet seemingly ablaze, and given the increased usage of AI in vulnerability research, we anticipate this new normal to become increasingly familiar." <a href="https://www.recordedfuture.com/platform?mtm_campaign=ad-unit-record" rel="noopener noreferrer">Learn more.</a> <a rel="noopener" href="https://www.recordedfuture.com/?utm_source=therecord&amp;utm_medium=ad"><figure><img src="https://cms.therecord.media/uploads/2025_0514_Record_Ads_970x250_1_d144dbf901.png" data-nimg="1" decoding="async" height="500" width="1000" alt="Recorded Future"></figure></a> <a href="https://therecord.media/author/jonathan-greig"><img src="https://cms.therecord.media/uploads/DSC_0283_1_a6f4e4e315.jpg" data-nimg="1" decoding="async" height="384" width="384" loading="lazy" alt="Jonathan Greig"></a>