โ† Back to Cyber Intelligence News
Live Threat Intelligence API โ€” Query this CVE and all KEV alerts in real-time
cyber.mcp.brunosan.de
Cyber Threat Intelligence VULNERABILITY ๐Ÿ”ด 2ร—KEV

CVE-2026-41940 in cPanel/WHM: Actively Exploited RCE Added to CISA KEV Catalog

๐Ÿ“… May 01, 2026 ๐Ÿ”ด Exploit Risk: 0.266 ๐Ÿ“Š Intelligence Score: 57/100 ๐Ÿ“ฐ 31 sources synthesized
TL;DR โ€” Read this first
Intelligence Metadata
First Reported Byportal.auscert.org.au
Outbreak Velocity1264 minutes to 5 unique domains
Consensus31 sources across at least 5 unique domains
CVSS ScoreNot available
EPSS Score0.1652 (95.3rd percentile)
CISA KEV StatusConfirmed
Exploit Risk Score0.2661
Race LabelZERO-DAY RACE

Technical Analysis

Technical analysis indicates CVE-2026-41940 is a vulnerability class enabling unauthenticated Remote Code Execution. Sources have CONFIRMED its exploitation as a zero-day against publicly-facing cPanel and WHM servers. The attack vector allows an adversary to execute arbitrary code on the underlying system, leading to a full compromise. The public release of a Proof-of-Concept (PoC) exploit has significantly lowered the technical barrier for widespread attacks.

There is conflicting intelligence regarding the full scope of affected products. While cPanel and WHM are the primary targets of observed exploitation, the official CVE vendor is listed as Google, and some security reporting associates this event with a separate CVSS 10.0 RCE in Google's Gemini CLI. This discrepancy suggests the vulnerability may reside in a shared library or underlying component. While NVD has not yet published a CVSS score, field reports cite scores of 9.8 and 10.0, consistent with an unauthenticated RCE.

Affected Systems

Vendor: cPanel, Google
Affected Versions:
  • cPanel
  • WHM
  • Reportedly Google Gemini CLI CI
Exposure: Publicly facing web servers with cPanel/WHM administrative interfaces.
Blast Radius: High. cPanel and WHM are foundational components of the web hosting industry, potentially exposing millions of downstream websites and servers to compromise.

Intelligence Context

The addition of CVE-2026-41940 to the CISA KEV catalog on April 30, 2026, is the definitive signal for immediate defender action. This confirms active, in-the-wild exploitation. The 'ZERO-DAY RACE' designation indicates attackers had pre-disclosure access, placing defenders in a reactive posture. The high EPSS score (0.1652), placing it in the 95th percentile of all CVEs for exploitability, reinforces the KEV status and provides a clear, data-driven mandate for maximum prioritization. The availability of a public PoC accelerates the threat from targeted attacks to widespread, opportunistic scanning. Ambiguity regarding the vendor and full product scope should not delay patching of confirmed affected systems.

Remediation & Defense

Patch immediately. The combination of CISA KEV status, zero-day exploitation, and a public PoC makes this the highest remediation priority.
Patch Status: Available
Patch Version: Not available in provided intelligence. Consult vendor advisories for specific patched versions.
Workarounds:
  • Restrict network access to cPanel, WHM, and Webmail services (ports 2083, 2087, 2096) to trusted IP addresses only.
  • If patching is not immediately possible, review web server logs for anomalous requests and process execution.
Detection Hints:
  • Monitor web server access logs for unusual POST requests to cPanel/WHM endpoints from unknown IP addresses.
  • Monitor for unexpected child processes spawned by the web server's user account (e.g., `nobody`, `www-data`).

Source Timeline

CVE-2026-41940 cpanel google rce kev zero-day actively-exploited