ASD’s ACSC warned on 1 May 2026 that attackers are actively exploiting CVE-2026-41940, a critical authentication bypass in cPanel and WHM, against Australian organisations. Updated 25 June 2026.

The ACSC critical alert followed vendor patches released 30 April 2026 and reporting from Cyber Daily that Australian hosting environments were targeted.

Small businesses on shared or reseller hosting may not know they depend on cPanel until a provider email arrives. Treat this as a supply-chain incident if you outsource website administration.

What the vulnerability allows

CVE-2026-41940 is an authentication bypass in cPanel and WHM session handling rated CVSS 9.8. Unauthenticated remote attackers can gain administrative access and potentially execute code on the control panel host, affecting every site on that server.

cPanel’s security update notes all versions after 11.40 were affected until patched builds shipped 28 April 2026. WP Squared instances up to a specified version were also in scope.

Evidence of exploitation

Industry reporting suggests in-the-wild exploitation may predate public disclosure by weeks. Hosting providers and Rapid7 cited managed hosts seeing activity from late March 2026 onward.

Shodan-scale scans referenced in security blogs found large numbers of internet-exposed cPanel interfaces. Exposure plus unpatched software equals predictable compromise.

ACSC recommended actions

Identify cPanel or WHM use in your environment, including via MSPs. Patch immediately using vendor procedures, commonly `/scripts/upcp –force` followed by service restarts per cPanel guidance.

Restrict admin ports from the public internet where feasible. Run vendor IoC detection scripts on session directories. Notify ACSC if compromise is confirmed.

What SMB website owners should ask hosts

Confirm patch level and restart times for your tenant server. Ask whether admin ports were temporarily blocked during emergency mitigation. Request log review covering March through patch date for suspicious admin logins.

If you self-manage a VPS with cPanel, patch today before reading further. Assume session directories need scanning even if version strings look current.

Local IT support is listed in our repair directory.

After patching

Rotate all hosting passwords, FTP accounts, database users, and CMS admin credentials. Attackers with panel access often create persistent web shells or spam relays.

Review website file trees for unknown PHP uploads and email forwarding rules used in phishing campaigns.

Relation to FortiBleed June alerts

cPanel and Fortinet incidents both show attackers targeting internet-administered infrastructure with credential or session weaknesses. Different products, same lesson: admin interfaces belong off the open internet and on current patches.

Shared hosting tenants: what to verify

Most small businesses on shared hosting never see cPanel unless they buy reseller plans. Your risk still exists because one compromised server host affects every site on the box. Ask your provider whether your account shares a host with hundreds of tenants and what isolation exists after patch application.

Website owner checklist after provider patches

Rotate WordPress admin passwords, FTP/SFTP credentials, database users, and email accounts tied to the domain. Review file managers for unknown PHP files in uploads directories. Check email forwarding rules attackers use for invoice fraud. Scan for unexpected admin users in CMS dashboards even if the host claims clean IoC results.

If you self-manage VPS hosting with cPanel, run vendor IoC scripts yourself and store log exports before rebooting services. Document patch timestamps for clients who rely on your stack.

Preventing repeat exposure

Move admin access behind VPN or IP allow lists where possible. Enable two-factor authentication on hosting panels and CMS accounts. Remove unused subdomains that still point at old cPanel ports on forgotten servers.

Our blog tracks ACSC alerts affecting Australian SMBs. Find local support through the directory if you need help validating hosting compromise.

WordPress and CMS hardening after panel access

Attackers with cPanel access often install malicious plugins or create hidden admin users. Review installed plugins against a known-good list. Compare file modification dates in wp-content against your last legitimate deploy. Enable two-factor authentication on every administrator account and remove unused themes that still expose upload paths.

E-commerce sites should check payment plugin integrity and webhook URLs for unauthorised redirects before resuming trading.

Hosting provider communication template

Email your host requesting written confirmation of CVE-2026-41940 patch date, IoC scan results, whether admin ports were restricted during mitigation, and any anomalous admin logins on your tenant between March and patch day. Keep responses with cyber insurance records. If the host cannot answer clearly, treat shared infrastructure as higher risk until evidence arrives.

Staging sites and dev subdomains

Developers often leave staging WordPress installs on the same cPanel account with weaker passwords. Attackers pivot from production to staging and back. Audit all subdomains on the hosting account, not only the primary live domain, during post-incident reviews.

Frequently Asked Questions