08 May 2026

Daily Int Brief: Actions On Cyber Daily Int Brief: Check your website hosting after active exploitation of cPanel and WHM

Relevance rating: Act Now

Executive Summary

Executive Summary: A critical weakness in cPanel and WHM, widely used to manage websites, email and hosting accounts, has been added to CISA's Known Exploited Vulnerabilities catalogue and is being reported as exploited in real-world attacks. Many small businesses, charities, clubs and community groups do not run cPanel themselves, but their website hosting provider may use it behind the scenes. The practical action is simple: ask your hosting provider today whether cPanel and WHM, DNSOnly and WP2 have been updated, whether your account or server showed signs of compromise, and whether recent website and email backups are available and tested.

Situation

WebPros has issued security updates for CVE-2026-41940 affecting cPanel and WHM, including DNSOnly, and WP2. CISA added the vulnerability to its Known Exploited Vulnerabilities catalogue on 30 April 2026, meaning there is evidence of exploitation in the wild. For non-technical organisations, the risk is that a weakness in the hosting control panel could allow attackers to interfere with websites, hosted email, files, databases or other sites on the same hosting environment. If your organisation uses shared hosting, a local web agency, a volunteer-managed website, WordPress hosting, or a low-cost hosting package, you may not see cPanel day to day but it may still be part of the service.

Who should care

  • Any UK small business, charity, club or community organisation with a public website
  • Organisations using shared hosting, reseller hosting, cPanel hosting, WHM, DNSOnly or WP2
  • Organisations whose website is managed by a web designer, IT provider, volunteer or hosting company
  • Groups taking online payments, handling bookings, publishing member-only content or storing contact forms on their website
  • Organisations using email accounts provided by the same company that hosts their website

Why it matters

Your website and email are often the public front door to your organisation. If the hosting control panel is compromised, criminals may be able to change website content, steal stored data, create new accounts, tamper with email, redirect visitors, or use the site to host scams. Even where your hosting provider is responsible for patching, your organisation is still responsible for asking the right assurance questions, checking whether anything changed, and making sure recovery is possible.

Top 5 Known Exploited Vulnerabilities

Use the provided Top 5 Known Exploited Vulnerabilities from CISA KEV exactly: [ { "cve_id": "CVE-2026-42208", "vendor_project": "BerriAI", "product": "LiteLLM", "vulnerability_name": "BerriAI LiteLLM SQL Injection Vulnerability", "date_added": "2026-05-08", "required_action": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "due_date": "2026-05-11", "notes": "https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc ; https://nvd.nist.gov/vuln/detail/CVE-2026-42208" }, { "cve_id": "CVE-2026-6973", "vendor_project": "Ivanti", "product": "Endpoint Manager Mobile (EPMM)", "vulnerability_name": "Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Vulnerability", "date_added": "2026-05-07", "required_action": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "due_date": "2026-05-10", "notes": "https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US ; https://nvd.nist.gov/vuln/detail/CVE-2026-6973" }, { "cve_id": "CVE-2026-0300", "vendor_project": "Palo Alto Networks", "product": "PAN-OS", "vulnerability_name": "Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability", "date_added": "2026-05-06", "required_action": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Until the vendor releases an official fix, the following workaround should be implemented: - Restrict User-ID Authentication Portal access to only trusted zones. - Disable User-ID Authentication Portal if not required.", "due_date": "2026-05-09", "notes": "https://security.paloaltonetworks.com/CVE-2026-0300 ; https://nvd.nist.gov/vuln/detail/CVE-2026-0300" }, { "cve_id": "CVE-2026-31431", "vendor_project": "Linux", "product": "Kernel", "vulnerability_name": "Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability", "date_added": "2026-05-01", "required_action": "\"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "due_date": "2026-05-15", "notes": "https://lore.kernel.org/linux-cve-announce/2026042214-CVE-2026-31431-3d65@gregkh/; https://xint.io/blog/copy-fail-linux-distributions#the-fix-6 ; https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/about/ ; https://nvd.nist.gov/vuln/detail/CVE-2026-31431" }, { "cve_id": "CVE-2026-41940", "vendor_project": "WebPros", "product": "cPanel & WHM and WP2 (WordPress Squared)", "vulnerability_name": "WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability", "date_added": "2026-04-30", "required_action": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "due_date": "2026-05-03", "notes": "https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026 ; https://docs.cpanel.net/release-notes/release-notes/ ; https://docs.wpsquared.com/changelogs/versions/changelog/#13617 ; https://nvd.nist.gov/vuln/detail/CVE-2026-41940\"" } ]

Date added CVE Vendor Product Vulnerability Required action
2026-05-08 CVE-2026-42208 BerriAI LiteLLM BerriAI LiteLLM SQL Injection Vulnerability Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
2026-05-07 CVE-2026-6973 Ivanti Endpoint Manager Mobile (EPMM) Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Vulnerability Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
2026-05-06 CVE-2026-0300 Palo Alto Networks PAN-OS Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Until the vendor releases an official fix, the following workaround should be implemented: - Restrict User-ID Authentication Portal access to only trusted zones. - Disable User-ID Authentication Portal if not required.
2026-05-01 CVE-2026-31431 Linux Kernel Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
2026-04-30 CVE-2026-41940 WebPros cPanel & WHM and WP2 (WordPress Squared) WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Actions On

  1. Ask your hosting provider whether they use cPanel, WHM, DNSOnly or WP2 for your website, email or hosting account.
  2. If yes, ask them to confirm in writing that they have applied the WebPros security update for CVE-2026-41940 and that your service is on a patched version.
  3. Ask whether your hosting account, website files, databases or email accounts showed any signs of unauthorised access since late February 2026.
  4. Make sure you have a recent clean backup of the website, database and email settings, stored separately from the hosting account.
  5. Check your website for unexpected administrator accounts, new files, changed payment pages, redirects, unfamiliar plugins or unexplained contact form activity.
  6. Change hosting, CMS and email administrator passwords after patching is confirmed, and enable multi-factor authentication wherever available.
  7. If your website takes payments or stores personal data, ask your provider whether any customer or member data may have been exposed and whether you need legal or ICO advice.
  8. Sign up for NCSC Early Warning if your organisation has its own domain name or public IP addresses.
  9. Use this incident as a prompt to confirm that Cyber Essentials basics are in place: secure configuration, access control, malware protection, patching and firewalls.

Question to ask your IT provider

Do any of our websites, email services or hosting accounts use cPanel, WHM, DNSOnly or WP2, and can you confirm the exact patched version, the date it was applied, whether any compromise indicators were found, and whether we have a clean restorable backup from before and after the update?

After-action review

  • Who owns the relationship with our website host, domain registrar and web developer?
  • Do we know which platform manages our website, email, DNS and backups?
  • Do we have named admin accounts only, rather than shared logins?
  • Is multi-factor authentication enabled for hosting, domain, email, CMS and payment accounts?
  • When was the last successful restore test for the website and database?
  • Would we know quickly if our website was changed, redirected or used to send scam messages?
  • Do we have a short contact list for cyber incidents, including hosting provider, web developer, IT provider, insurer and senior decision-maker?

Sources