InMotion Hosting blocks critical cPanel flaw across 144K clients

A security vulnerability carrying a severity score of 9.8 out of 10 surfaced in cPanel and WHM earlier this year, and for a few hours it represented a genuine worst-case scenario for web hosting infrastructure. The flaw, tracked as CVE-2026-41940, let a network-based attacker gain root-level access to a server without a valid username, password, or two-factor authentication code. No credentials required. The bug exposed nearly 1.5 million internet-facing servers globally.

InMotion Hosting says it contained the threat across its customer base before broad exploitation reached its fleet. The company reports that 99% of its 144,870 potentially affected clients received protection without any action on their part and without service interruption.

The response followed two distinct tracks. First, InMotion’s network operations team closed the vulnerable service ports at the network edge across its US East, US West, and European data center regions. That move blocked external access before engineers had patched every individual server. Then internal engineers ran automated scripts to push the official cPanel update across eligible systems, only reopening port access after verifying each server on a patched build.

Websites, applications, databases, and email kept running throughout because the standard ports those services rely on never entered the restriction. Customers who needed manual intervention received direct outreach, migration checklists, and access to support teams. InMotion moved some to new hardware entirely.

CISA confirmed active exploitation of CVE-2026-41940 and added it to its Known Exploited Vulnerabilities catalog on April 30, 2026. Compliance teams, cyber insurers, and auditors generally stop treating an unpatched system as an oversight once a flaw appears on that list. At that point, it becomes a documented liability.

The incident did not stop there. On May 13, cPanel released another update addressing five additional vulnerabilities rated as high severity. InMotion deployed that update the same day across managed environments. Self-managed customers received patching guidance and around-the-clock support access, though the difference between managed action and self-managed guidance becomes a meaningful risk gap when exploitation moves quickly.

cPanel’s widespread deployment across shared hosting, reseller accounts, and VPS environments is exactly what makes flaws in that layer so consequential. One control-panel defect scales across thousands of businesses simultaneously, most of which have no internal security team capable of responding in time.