InMotion Hosting has announced the successful mitigation and patch deployment for CVE-2026-41940, a critical zero-day vulnerability affecting cPanel & WHM servers worldwide. The flaw exposed an estimated 1.5 million internet-facing servers to potential attacks, prompting an industry-wide security response.
According to the company, its in-house network operations and systems teams acted within hours of the public disclosure on April 28, 2026. By leveraging its privately owned infrastructure across U.S. East, U.S. West, and European data centers, InMotion Hosting blocked vulnerable ports at the network edge and rapidly deployed patches across all eligible servers.
The company stated that 99% of potentially affected customers remained protected without experiencing service interruptions. Websites, applications, databases, email services, and account management systems continued operating normally throughout the incident response.
CVE-2026-41940 received a CVSS severity score of 9.8 and reportedly allowed attackers to gain root-level server access without valid credentials. The vulnerability impacted hosting providers running cPanel & WHM globally, and was later added to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog following reports of active exploitation.
InMotion Hosting said its response combined immediate network-level protections with automated patch deployment scripts that updated servers as official cPanel fixes became available. Customers requiring additional remediation, including some migrated to new hardware, received direct assistance and 24/7 support from the company’s internal teams.
The company also confirmed that it deployed subsequent cPanel security updates released on May 13, 2026, covering five additional vulnerabilities across managed Shared, WordPress, Reseller, VPS, and Dedicated hosting services without requiring customer intervention.
In addition to the cPanel incident, InMotion Hosting recently implemented mitigation measures for “Dirty Frag,” a Linux kernel local privilege escalation vulnerability. The company stated that protective measures were applied across its Dedicated and VPS infrastructure without disrupting customer services.
InMotion Hosting emphasized that its founder-led structure and ownership of its global infrastructure allowed the company to respond quickly without relying on third-party providers, enabling faster network changes, patch validation, and customer communication during critical security events.
