More than 40,000 servers have been compromised in an ongoing campaign exploiting a recently patched cPanel zero-day vulnerability. The flaw, tracked as CVE-2026-41940, allows attackers to bypass authentication and gain full administrative access to servers, potentially compromising all hosted websites and databases. The vulnerability was likely exploited since late February before being publicly disclosed on April 28, and CISA has now added it to its Known Exploited Vulnerabilities catalog, giving federal agencies just four days to patch their systems.