A critical authentication bypass in cPanel & WHM (CVE-2026-41940) is being actively exploited and has prompted an ACSC alert. The flaw — a CRLF injection in the login flow — lets an unauthenticated attacker forge a root-level admin session by tampering with the whostmgrsession cookie. cPanel shipped emergency patches on 28 April, but as Help Net Security reports, in-the-wild exploitation had already been running for roughly two months before that patch landed.

The scale is the worrying bit. Around 1.5 million internet-exposed cPanel instances show up on Shodan, and most Australian SMB websites — from cafés and clubs to NFP donor portals — sit behind a cPanel-managed shared host somewhere. A successful exploit hands an attacker root over the host: every site on it, every database, every email account, every backup. If your hosting provider hasn’t patched, the entire neighbourhood of sites on that server is exposed.

What to do today. If you self-manage a server, upgrade to cPanel & WHM 11.136.0.5 (or WP Squared 136.1.7) immediately. If your website lives with a hosting provider — which is most Australian small businesses — send them a one-line email today: “Have you patched CVE-2026-41940, and when?” Then review your site and email logs back to mid-February for unexpected admin logins, new WHM accounts, or cron jobs you didn’t create. Rotate all admin passwords and revoke any API tokens issued before the patch.

If you’d like us to check whether your hosting and websites are exposed — and shore up the rest of your perimeter while we’re at it — our cybersecurity team can run a same-week assessment.