cPanel/WHM: When the “Login” Button Is Just Decorative

The Funny Summary

This alert reads like a horror story for anyone running hosting panels: attackers are actively exploiting a critical cPanel/WHM authentication bypass in Australia, meaning the bad guys can potentially stroll into the control panel without credentials—and in the worst case, use that access to pull off remote code execution. The scary part? If you’re running any version after 11.40, you’re in the blast radius—so this is less “niche bug” and more “surprise, it’s basically everyone.” Thankfully, patches are out (as of 30 April 2026)—so the goal is simple: patch fast, reduce exposure, and keep an eye out for anything weird.

The (5) Takeaways

• Active exploitation in Australia (Critical): ASD’s ACSC says exploitation is happening now, and the alert status is critical.

• Auth bypass + potential RCE: The flaw is an authentication bypass that can allow unauthenticated remote access to the control panel and enable remote code execution.

• Wide version impact: It affects all versions after 11.40 (11.40 was released in 2013), so many deployments could be affected.

• MSPs caught in the splash zone: ACSC notes several Managed Service Provider–managed products have been impacted, leading to compromise of their customers.

• What to do right now: Identify vulnerable cPanel/WHM, reconsider internet exposure, apply patches ASAP, monitor for suspicious activity, and use the vendor’s IoC detection scripts; notify ASD’s ACSC if you detect suspicious activity

The Long Boring Article

Reference:

Active exploitation of cPanel/WHM critical vulnerability — cyber.gov.au alert [cyber.gov.au]