CISA Adds One Known Exploited Vulnerability to Catalog

What Happened

CISA has issued an alert that a critical vulnerability (CVE-2026-41940) in WebPros cPanel, WHM, and WP2 is being actively exploited by attackers. This flaw allows unauthorized users to access critical system functions without needing to log in. Organizations using these web management systems are at significant risk of compromise. Administrators should immediately apply the latest security patches to protect their networks.

Key Takeaways

• CISA has added CVE-2026-41940 to the Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation.
• The vulnerability affects WebPros cPanel & WHM and WP2 (WordPress Squared) and involves missing authentication for a critical function.
• Federal Civilian Executive Branch (FCEB) agencies are mandated by BOD 22-01 to remediate this vulnerability by a specified due date.
• All organizations are strongly urged to prioritize the remediation of this vulnerability to reduce exposure to cyberattacks.

Affected Systems

• WebPros cPanel
• WebPros WHM
• WP2 (WordPress Squared)

Vulnerabilities (CVEs)

• CVE-2026-41940

Attack Chain

Threat actors are actively exploiting CVE-2026-41940, a missing authentication vulnerability in WebPros cPanel, WHM, and WP2. By bypassing authentication mechanisms, attackers are able to access and execute critical functions within the affected web applications. Specific post-exploitation activities and payloads are not detailed in the alert.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

N/A

Detection Engineering Assessment

EDR Visibility: Low — The vulnerability is an authentication bypass in web applications, which is primarily visible in web server access logs rather than standard EDR process telemetry. Network Visibility: Medium — Network appliances like WAFs or IDS/IPS may detect exploitation attempts if signatures for CVE-2026-41940 are available and traffic is unencrypted or inspected. Detection Difficulty: Moderate — Detecting missing authentication exploits requires analyzing web traffic and application logs for unauthorized access to critical endpoints, which can blend with legitimate administrative traffic if not properly baselined.

Required Log Sources

• Web Server Access Logs
• cPanel/WHM Application Logs
• WAF Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unusual or unauthorized access to critical cPanel, WHM, or WP2 administrative endpoints originating from unexpected IP addresses without prior authentication events.	Web Server Access Logs	Initial Access	Medium

Control Gaps

• Missing patches on public-facing infrastructure
• Lack of WAF rules for specific CVEs
• Exposure of administrative interfaces to the public internet

Key Behavioral Indicators

• Unexpected HTTP 200 responses to administrative endpoints without prior authentication tokens or sessions

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Apply vendor-supplied patches for WebPros cPanel, WHM, and WP2 immediately.
• Restrict access to cPanel and WHM administrative interfaces to trusted IP addresses or VPNs.

Infrastructure Hardening

• Implement a Web Application Firewall (WAF) to filter malicious requests targeting web management interfaces.
• Ensure administrative interfaces are not exposed to the public internet unless absolutely necessary.

User Protection

• Enforce Multi-Factor Authentication (MFA) for all administrative access, though patching is required to fix the underlying bypass.

Security Awareness

• Ensure vulnerability management teams prioritize CISA KEV catalog items for expedited patching.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1133 - External Remote Services