For CISOs, the worry is not just the bug, but where it sits. cPanel and similar tools often operate at the edge of the enterprise, managing websites, portals, and hosted applications. If they are exposed to the internet and not monitored with the same rigor as endpoints, cloud workloads, or core business systems, they can become attractive entry points for attackers.
“This is a classic aggregator-level attack: instead of targeting individual companies, threat actors compromise the centralized management layer that aggregates hundreds of unrelated tenants on the same server,” said Sunil Varkey, a cybersecurity analyst.
XLab said exploitation began after the vulnerability was publicly disclosed in late April. The researchers observed more than 2,000 attacker source IPs involved in automated attacks. The activity included cryptomining, ransomware deployment, botnet propagation, backdoor installation, and data theft, suggesting the flaw has drawn broad attacker interest.
Varkey said security researchers estimate that more than 40,000 servers may have been at risk in the initial wave alone.
“The speed and scale of exploitation after CVE-2026-41940’s disclosure should tell CISOs that internet-facing control panels are now high-priority exploitation targets, not just administrative utilities,” said Sakshi Grover, senior research manager for IDC Asia Pacific Cybersecurity Services.
