:

CRITICAL BUG IN CPANEL, WHM EXPLOITED SINCE FEBRUARY

SECURITY DESK2 MIN READ
SAT, MAY 2, 2026

■ AI-SUMMARIZED FROM 1 SOURCE ▸ TIMELINE

A critical vulnerability in cPanel, WHM, and WP Squared software has been actively exploited since February. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) assigned a 9.8 CVSS severity score and ordered federal agencies to patch by May 3.

The vulnerability affects three widely-used server and website management platforms, creating significant risk for government infrastructure. CISA's mandatory patching deadline of May 3 underscores the severity of the threat. CPAN and WHM are among the most common control panel solutions for web hosting providers and server administrators. The vulnerability's high CVSS score of 9.8 indicates near-maximum severity, suggesting attackers could gain elevated access or control systems with minimal effort. The fact that exploitation has been documented since February raises concerns about the scope of potential compromises. Organizations running affected versions may have already been targeted, making immediate patching critical for both federal agencies and private sector users. WP Squared, a WordPress management platform, rounds out the affected software trio. Users of all three applications should prioritize security updates regardless of sector, as the vulnerability's accessibility to threat actors makes widespread exploitation likely. CISA's involvement and firm deadline for federal agencies signals this is not a routine patch. The agency typically implements mandatory timelines only for vulnerabilities that pose existential risk to critical infrastructure. Private sector organizations should treat this with equal urgency, particularly those managing sensitive data or customer-facing services. The incident reinforces ongoing challenges in vulnerability disclosure and patch deployment. The gap between initial exploitation and public awareness appears to have been several months, potentially allowing attackers extended access before systems were secured. Administrators should treat the May 3 deadline as a minimum requirement rather than a target, implementing patches immediately upon availability. Organizations should also conduct forensic reviews of system logs dating back to February to identify potential unauthorized access. Detailed technical guidance and patches should be forthcoming from vendor advisories and CISA's guidance channels.

■ SOURCES

Techmeme

■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE

■ MORE FROM THE SECURITY DESK

A US federal judge dismissed a class action lawsuit accusing Apple of failing to prevent child sexual abuse material from spreading through iCloud, citing Section 230 protections for online platforms.

JUST NOWAI Desk

A threat actor has created nearly 300 fraudulent GitHub repositories impersonating legitimate software and security projects to distribute infostealer malware to unsuspecting developers.

JUST NOWDev Desk

LastPass has issued a warning about an active phishing campaign using fraudulent security notices to redirect users to malicious websites. The scheme targets both LastPass and Bitwarden password manager users.

2H AGOSecurity Desk

Microsoft has rolled out cumulative updates KB5101650 and KB5099414 for Windows 11, addressing security vulnerabilities and bugs across multiple versions. The updates target versions 25H2/24H2 and 23H2.

2H AGOIndustry Desk

■ SUBSCRIBE TO THE DAILY BRIEF

ONE EMAIL, 5 STORIES, 06:00 UTC. UNSUBSCRIBE ANYTIME.