If your business uses cPanel or WHM to manage its website or hosting environment, you need to read this today.
Australia’s peak cybersecurity authority has confirmed that a critical vulnerability is being actively exploited right now. It affects software used to manage millions of websites around the world, including many Australian businesses.
Here is what you need to know and what you should do next.
What Is cPanel and WHM?
Before we get into the threat, it helps to understand what these tools actually are.
cPanel is software that lets website owners manage their hosting account. You can use it to manage files, email addresses, databases, and domain settings.
WHM (WebHost Manager) sits above cPanel. It gives server administrators root-level access to the entire server. Think of WHM as the master key to the building, and cPanel as the key to an individual apartment.
Many Australian businesses use these tools directly, or rely on web hosting providers that use them in the background.
What Is the Vulnerability?
On 28 April 2026, cPanel issued a security update to fix a critical vulnerability affecting cPanel, WHM, and WP Squared products. The vulnerability, tracked as CVE-2026-41940, has a CVSS score of 9.8 out of 10 and allows unauthenticated remote attackers to bypass authentication and gain unauthorised administrative access to affected systems.
In plain English: an attacker does not need a password to break in. They can walk straight past the login screen.
The vulnerability is an authentication bypass, which can allow unauthenticated remote attackers to gain access to the control panel and conduct remote code execution. It affects all versions after 11.40, which was released in 2013.
That means almost every version of cPanel and WHM released in the past decade is affected.
How Serious Is This?
Very serious.
An attacker with WHM access can read every customer hosting account, modify files and databases, create backdoor accounts, install malware, steal credentials, and pivot into customer networks.
The Shadowserver Foundation reported more than 44,000 IPs were likely compromised, based on a spike in scanning, exploits, and brute force attacks against its honeypot sensors.
This is not a theoretical risk. Active exploitation is already underway globally, and the ACSC has confirmed it is happening in Australia.
A Real Example: What Happened to One of Our Clients
We have seen first-hand what happens when an attacker gets into a hosting environment like this. Unfortunately, we have helped a number of businesses through exactly this kind of situation.
One case stands out.
A client came to us after noticing something was off with their email. Customers were not receiving their messages. Sales follow-ups were going nowhere. Important correspondence was disappearing into the void.
When we investigated, we found their website had been compromised. An attacker had installed malicious code on their server without them knowing. The code was quietly running in the background, using the client’s own domain to send out thousands of phishing and spam emails to targets around the world.
The client had no idea it was happening.
By the time we were called in, the damage was already significant. Because so many spam and phishing emails had been sent from their domain, spam filtering services had flagged and blacklisted it. That blacklisting meant that legitimate emails sent by the business were being blocked or rejected by most email providers. Their customers simply were not receiving them.
For a business that relies on email to communicate with clients, follow up on quotes, and send invoices, this was a serious problem.
The remediation process took several weeks. We had to locate and remove all the malicious code from the website, which was spread across multiple files. We then had to identify every spam filtering and blacklist provider that had flagged the domain. Each one required a separate review request and removal application. Some were straightforward. Others took time and follow-up.
During that entire period, the business had limited confidence in their outbound email. Some messages got through. Others did not. They had no way of knowing which.
This is just one example. We have helped businesses deal with attackers who installed backdoors for future access, replaced website content with malicious pages, redirected visitors to scam sites, and harvested customer data quietly over months.
The common thread in almost every case is the same: the business did not know anything had happened until the damage was already done.
A compromised server does not always announce itself. That is what makes it so dangerous.
What Has the ACSC Said?
ASD’s ACSC is aware of active exploitation in Australia of a critical vulnerability affecting cPanel and WHM products. Patches have been released as of 30 April 2026.
The ACSC advises organisations to:
- Review networks and environments for use of vulnerable versions of cPanel and WHM products
- Review the need to continue to have the interface exposed to the internet
- Apply patches as soon as practicable
- Monitor for suspicious activity
The ACSC does not issue urgent alerts for minor issues. When they say act now, they mean it.
You can read the full ACSC advisory at cyber.gov.au for the official guidance and latest updates.
Who Is at Risk?
You may be affected if any of the following apply to your business:
- Your website is self-hosted on a server running cPanel or WHM
- You use a web hosting provider that uses cPanel (many shared hosting providers do)
- You manage multiple websites or client sites through WHM
- You have not recently reviewed or patched your hosting environment
A Shodan query for potential targets returns approximately 1.5 million cPanel instances exposed to the internet that may be vulnerable. Exploitation was possibly happening as early as February 2026, prior to the vulnerability’s public disclosure.
Many businesses will not know they are running a vulnerable version until they check.
What Should You Do Right Now?
Step 1: Check if you use cPanel or WHM
Log in to your hosting control panel. If it looks like cPanel, you are likely using it. If you are unsure, contact your hosting provider and ask directly.
Step 2: Apply the patch immediately
The cPanel maker urged customers to ensure their systems are patched, as the bug affects all supported versions of the software. Many commercial web hosting companies have already patched their customers’ systems.
If your hosting is managed by a provider, contact them to confirm the patch has been applied. If you manage your own server, apply the update now.
Step 3: Check for signs of compromise
Indicator of Compromise detection scripts have been released by the vendor, which may assist in detecting compromise. If you are not sure how to run these checks, this is where professional help is important.
Step 4: Review your exposure
Ask whether your cPanel or WHM login panel actually needs to be accessible from the public internet. Limiting access to trusted IP addresses significantly reduces risk.
Step 5: Get a professional security assessment
Patching the known vulnerability is only one part of the picture. A full security audit will help you understand what else may have been exposed and whether any damage has already been done.
Why a Security Audit Matters Here
Patching stops new attacks through this specific vulnerability. But if attackers got in before the patch was applied, the damage may already be done.
A professional security audit helps you answer the critical questions:
- Was our environment compromised before the patch?
- Are there backdoors or malware left behind?
- Are there other vulnerabilities in our hosting environment?
- Is our data still safe?
- What do we need to fix to reduce risk going forward?
At Sentry Cyber, we have been conducting security assessments for businesses like yours for years. We have a clear process for situations exactly like this one.
Our security audit for cPanel and WHM-affected environments covers:
- Review of your hosting environment and cPanel/WHM version history
- Vulnerability scanning across your web infrastructure
- Review of user accounts and access privileges
- Check for indicators of compromise, including backdoors and unexpected file changes
- Review of firewall rules and exposed ports
- Email security review, including SPF, DKIM, and DMARC configuration
- Review of database access and integrity
- DNS and domain configuration review
- Web application firewall assessment
- Review of backup procedures and recovery options
- Review of third-party integrations and plugins
- A plain-English report with prioritised recommendations
We do not hand you a long list of technical jargon and leave you to figure it out. We give you a clear report and walk you through what needs to happen next.
If your business is interested in this service, please get in touch with us https://sentry.cy/contact-us/
Do Not Forget the Human Side of Security
Technical vulnerabilities are one threat. Your people are another.
Many attacks succeed because someone inside the business clicks a phishing link, uses a weak password, or falls for a social engineering attempt. With attackers already probing systems exposed by the cPanel vulnerability, expect a wave of follow-up phishing attempts targeting businesses in the hosting space.
Our cyber awareness training and phishing simulations help your team recognise and respond to these attacks before they cause damage.
The Bottom Line
This is a serious and active threat. The ACSC has confirmed exploitation is happening in Australia right now. If your business uses cPanel or WHM, do not wait.
Patch your systems today. Review your exposure. And if you are not sure where to start, get in touch with us. We can help you understand your risk and put a plan in place quickly.
Book a security assessment with Sentry Cyber and find out exactly where you stand.
FAQ
What is CVE-2026-41940?
It is a critical security vulnerability in cPanel and WHM software. It allows attackers to bypass the login screen entirely and gain full administrative access to a server without needing a password. It has a severity score of 9.8 out of 10.
Does this affect my business if I use shared hosting?
It depends on your provider. Many major hosting companies have already patched their systems. Contact your hosting provider directly and ask whether the patch for CVE-2026-41940 has been applied to your server.
What is the ACSC?
The ACSC is the Australian Cyber Security Centre, part of the Australian Signals Directorate. It is the government body responsible for helping Australian organisations defend against cyber threats. When it issues an urgent alert, it is worth taking seriously.
My hosting provider says they have patched the vulnerability. Am I safe?
Patching prevents new attacks through this specific vulnerability. However, if your server was compromised before the patch was applied, there may already be backdoors or malware present. A security assessment can check for this.
How long does a security assessment take?
It depends on the size and complexity of your environment. For most small to medium businesses, an assessment can be completed within a few days. Contact Sentry Cyber to discuss your situation and we can give you a realistic timeframe.
What does Sentry Cyber’s security assessment include?
Our assessments cover your hosting environment, user accounts, firewall configuration, email security, database access, DNS settings, and more. We look for signs of compromise and vulnerabilities beyond just the known CVE. You receive a plain-English report with prioritised actions.
Can Sentry Cyber help if we have already been compromised?
Yes. If you suspect your environment has been breached, contact us immediately. We can help you understand what happened, contain the damage, and put safeguards in place to prevent it from happening again.