cPanel Zero-Day Exploits 1.5M Servers: 5 Critical Threats to Patch This Week

CVE-2026-41940 is a critical authentication bypass vulnerability in cPanel and WHM affecting all versions released after v11.40, as well as WP Squared v136.1.7, the managed WordPress hosting platform built on cPanel infrastructure. Successful exploitation gives an attacker complete control over the cPanel host system, its configurations and databases, and every website it manages.

The attack technique, disclosed by WatchTowr and analyzed independently by Rapid7 researcher Ryan Emmons, works in two steps. An attacker first manipulates the whostmgrsession cookie by omitting an expected segment from its structure. They then inject raw carriage-return and line-feed characters via a malicious basic authorization header, inserting arbitrary key-value properties, including a root user token, directly into the server's session files. The result is a fully authenticated root session with no password required.

Rapid7 confirmed via Shodan that approximately 1.5 million cPanel instances are exposed online, though patch levels vary across that population. Active exploitation has been confirmed since at least February 23, 2026, and researchers note the actual exploitation window likely predates that date. A proof-of-concept exploit is now publicly available, which increases risk for every unpatched instance. cPanel published its advisory and a patched release on April 28, 2026.

Remediation: Update cPanel to the patched version immediately and restart the cpsrvd service. If immediate patching is not possible, block ports 2083, 2087, 2095, and 2096 at the perimeter firewall. Run cPanel's provided compromise-detection script on all exposed instances before assuming they are clean. CISA has added CVE-2026-41940 to the KEV catalog.

Snow malware is a three-component backdoor suite deployed by UNC6692, a threat actor tracked by Google Mandiant that uses Microsoft Teams social engineering as its primary access vector. UNC6692 begins each intrusion by flooding the target's email inbox to create urgency and confusion, then contacts the overwhelmed victim via Teams posing as an IT helpdesk agent. The attacker instructs the victim to click a link for a supposed security patch, triggering the Snow malware installation chain.

The Snow suite consists of three tools operating in concert. SnowBelt is a malicious Chrome browser extension that enables persistent access to browser sessions and data. SnowGlaze is a SOCKS proxy tunneler that routes arbitrary TCP traffic through the infected host, giving UNC6692 a covert channel for sustained operations. SnowBasin is a Python-based backdoor that executes CMD and PowerShell commands, enables remote shell access, performs file management, captures screenshots, and extracts credentials from the local system.

Post-compromise, UNC6692 conducts internal reconnaissance targeting SMB and RDP services, then moves laterally through the network using pass-the-hash authentication after dumping LSASS memory. The group extracts the Active Directory database using FTK Imager and exfiltrates data via LimeWire. Google Mandiant has published extensive indicators of compromise and YARA rules for detecting the Snow toolkit, available through BleepingComputer's reporting.

Organizations should immediately restrict Microsoft Teams external access to verified domains only, audit endpoints for anomalous Chrome extensions and Python execution chains, and train staff that legitimate IT support does not deliver security patches through Teams chat links.

CVE-2026-42208 is a CVSS 9.3 SQL injection vulnerability in BerriAI's LiteLLM Python package, a widely deployed proxy that routes AI inference requests across multiple large language model providers including OpenAI, Anthropic, and Azure OpenAI. Security researchers identified active exploitation of LiteLLM CVE-2026-42208 within 36 hours of public disclosure, making it one of the fastest-weaponized vulnerabilities documented in 2026.

The flaw allows an unauthenticated attacker to inject SQL commands that modify the underlying LiteLLM proxy database. In production environments, this database typically stores API keys, model configurations, usage logs, and organizational routing rules. Successful exploitation could expose all API credentials managed through the proxy, inject malicious model routing configurations, or corrupt usage data relied upon for billing and access control.

LiteLLM is prevalent in enterprise AI pipelines, internal LLM gateways, and managed AI services. Organizations that have not isolated LiteLLM instances behind authenticated network controls or have not updated to the patched release should treat any LiteLLM database as potentially compromised. Rotate all API keys stored in or passed through the proxy immediately after patching. This vulnerability also applies to any derivative or vendor-bundled version of the LiteLLM package.

This exploitation pattern, critical AI infrastructure targeted within hours of a public CVE, reflects a deliberate shift by threat actors toward foundational services rather than end-user applications. Organizations should apply the same emergency patching discipline to AI infrastructure components that they apply to web servers and VPN appliances.

ShinyHunters is a financially motivated cybercriminal group specializing in large-scale data theft and extortion, responsible for some of the most significant breach disclosures of the past three years. This week the group listed more than 40 new victim organizations on its data leak site, the largest single-week expansion of its victim portfolio in 2026.

Confirmed victims include Carnival Corporation's Holland America Line subsidiary, where 8.7 million customer records were exposed. Additional organizations listed this week include Mytheresa, Pitney Bowes, The Canada Life Assurance Company, Hallmark, and Inditex, the parent company of global fashion retailer Zara. The campaign also swept through major retailers, insurers, and hospitality firms across North America and Europe.

This expansion follows a series of high-profile ShinyHunters breaches already covered on Decryption Digest this year, including the [Amtrak Salesforce breach affecting 9 million records](/blog/amtrak-shinyhunters-salesforce-breach-9-million-records) via compromised OAuth tokens. The group consistently exploits credential theft at third-party SaaS platforms rather than attacking victims' own perimeters, which makes detection through traditional network-layer monitoring ineffective.

Organizations in retail, insurance, and hospitality should audit all third-party SaaS platform access and review Salesforce and CRM access logs for anomalous OAuth activity. Confirm that multi-factor authentication is enforced on all external-facing platforms, and verify with your vendors that any shared data exposure has been assessed for your specific tenant.

CISA added 13 vulnerabilities to its Known Exploited Vulnerabilities catalog in a four-day window spanning April 20 to 24, 2026. Each addition carries evidence of active exploitation. BOD 22-01 requires Federal Civilian Executive Branch agencies to remediate all KEV entries by their assigned deadlines. Private sector organizations should treat the KEV list as a prioritization signal for their own patch cycles.

On April 20, CISA added eight vulnerabilities. The highest-priority entries for enterprise defenders include CVE-2023-27351, an authentication bypass in PaperCut NG/MF used widely for enterprise print management; CVE-2024-27199, a JetBrains TeamCity authentication bypass enabling remote code execution on build servers; CVE-2025-48700, an authentication flaw in Synacor Zimbra; and three vulnerabilities in Cisco Catalyst SD-WAN Manager. The April 20 batch also included Kentico Xperience CVE-2025-2749 and Quest KACE SMA CVE-2025-32975.

On April 23, CISA added CVE-2026-39987, a remote code execution vulnerability in Marimo, the open-source Python notebook platform. On April 24, CISA added four more vulnerabilities covering Samsung MagicINFO 9 digital signage software, SimpleHelp remote support software, and D-Link DIR-823X router firmware.

For broader context on the Microsoft vulnerabilities patched this month, see the [April 2026 Patch Tuesday coverage](/blog/patch-tuesday-april-2026) on Decryption Digest, which details the 167-flaw release including the SharePoint Server zero-day CVE-2026-32201.

The following indicators of compromise are derived from published technical disclosures for this week's top five threats. Run these against your SIEM, EDR, and firewall logs immediately. The full Snow malware IOC set and YARA detection rules published by Google Mandiant are available through BleepingComputer's reporting linked in the sources section below. For cPanel, the primary network-layer mitigation is port-based blocking until the patch is applied.

This week's threat landscape contains three actively exploited vulnerabilities and two confirmed active campaigns. The following steps address the highest-risk exposures identified across all five threats in this briefing. Execute in order of your asset exposure.

The cPanel CVE-2026-41940 authentication bypass is the most immediately dangerous exposure in this week's briefing: 1.5 million servers facing a public exploit, active exploitation dating back 64 days before the advisory, and complete root access as the attacker's reward. UNC6692's Snow malware confirms that Microsoft Teams is now a primary enterprise attack surface requiring the same scrutiny as email. LiteLLM CVE-2026-42208 signals that AI infrastructure is a first-class exploitation target in 2026. Update every cPanel and WHM instance in your environment before end of business today.