The Australian Signals Directorate’s Cyber Security Centre is warning of active exploitation in Australia of a critical authentication bypass in cPanel and WebHost Manager (WHM) — the control panel software that sits behind millions of business websites and email accounts. The flaw, tracked as CVE-2026-41940, has a CVSS score of 9.3 and lets an unauthenticated attacker walk straight into the admin panel and run code on the server, as reported by Help Net Security.

Why it matters

cPanel and WHM are everywhere. If your business has a website, an email server, or an internal app hosted with a small-to-mid Australian provider, there’s a fair chance cPanel is somewhere in the stack. Attackers are using this bug to take over hosting accounts, redirect customer traffic, drop ransomware, and pivot into managed service provider networks. Reporting suggests exploitation has been going on quietly since late February — well before the patch landed on 30 April 2026.

What to do today

• Ask your hosting provider or web developer whether their cPanel/WHM has been updated to the patched May 2026 release. If they can’t answer, escalate.
• If you run cPanel yourself, update immediately and rotate API tokens, FTP credentials, and admin passwords.
• Review server logs for unfamiliar admin logins or new accounts created since late February.
• Lock WHM access down by IP where possible — there’s no good reason for the panel to be open to the whole internet.

If you’re not sure whether you’re exposed, our team can run an external check on your hosted environments. Have a look at our cybersecurity service or get in touch.