{"uuid": "f34868c5-df4e-4c21-9319-7ffaa9ad109e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41940", "type": "seen", "source": "https://infosec.exchange/users/shadowserver/statuses/116499627192882664", "content": "Attention! \ncPanel/WHM CVE-2026-41940 attacks ongoing, with at least 44K IPs likely compromised & seen scanning our honeypots on 2026-04-30.  Follow latest guidance to track for compromise & patch: https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026 \nSee Public Dashboard for stats: https://dashboard.shadowserver.org/statistics/honeypot/device/tree/?date_range=1&vendor=cpanel&data_set=count&scale=log&auto_update=on\n44K unique IP number is based on cPanel spike of devices seen scanning/running exploits/brute force attacks against our honeypot sensors.\nhttps://dashboard.shadowserver.org/statistics/honeypot/device/time-series/?date_range=7&vendor=cpanel&dataset=unique_ips&limit=100&group_by=vendor&stacking=stacked&auto_update=on\nYou can find likely newly compromised instances in our honeypot based reports with cPanel set in the device_vendor of the attacking device\n- Darknet Events Report https://www.shadowserver.org/what-we-do/network-reporting/honeypot-darknet-events-report/- Honeypot HTTP Scanner Events Reporthttps://www.shadowserver.org/what-we-do/network-reporting/honeypot-http-scanner-events/\n- Honeypot Brute Force Events Reporthttps://www.shadowserver.org/what-we-do/network-reporting/honeypot-brute-force-events-report/\nYou can also find exposed cPanel/WHM instances in our Device ID reporting with ~650K IPs seen hosting https://dashboard.shadowserver.org/statistics/iot-devices/time-series/?date_range=7&vendor=cpanel&dataset=count&limit=1000&group_by=geo&stacking=stacked&auto_update=on", "creation_timestamp": "2026-05-01T13:47:18.617334Z"}