The cPanel CVE Was a 67-Day Zero-Day. Our Harvester Caught the PoC Drop. Nobody Caught the Sixty-Seven Days.

We posted earlier today about our exploit harvester catching three GitHub PoC repositories for CVE-2026-41940 — the cPanel and WHM authentication-bypass flaw. The harvester caught them overnight. Three rules, twelve hours, zero humans involved. We were proud of the catch.

The story changed at 18:00 UTC. Help Net Security published a piece reporting the actual exploitation window: this CVE has been an active zero-day since at least February 23, 2026. Sixty-seven days before CISA listed it. Sixty-seven days before the patch shipped. Sixty-seven days before the PoCs landed publicly on GitHub. 44,000 unique IPs were observed running scans, exploits, or brute-force attacks against honeypot sensors during that window.

Our overnight catch was real. So was the gap.

This is the part of the threat-intel ecosystem that defenders need to internalize. The PoC drop is the headline. The PoC drop is also the trailing-edge indicator — by the time someone publishes a working exploit on GitHub, the operators who actually had the bug have been monetizing it for weeks or months. The harvester catches the publication event. It does not catch the prior reconnaissance, the prior exploitation, the prior data exfiltration, the prior shell drops on cPanel-hosted sites that already happened.

We are at the 95-percent cap on this. The 67-day window means there is a non-trivial chance that any cPanel deployment which had the vulnerable version running between February 23 and the patch ship date is already compromised. Not "maybe" — there is a real probability. The 44,000 unique scanning IPs is the lower bound. Many of those IPs were doing brute-force discovery; some fraction succeeded. The successful ones have not announced themselves.

What this means for defenders today.

If you run cPanel, do not just patch. Patch and audit. The patch closes the door. The audit is what tells you whether someone was already inside before the door closed. Look for new admin accounts created between February 23 and the day you patched. Look for PHP files in webroot that did not exist in your last known-good backup. Look for cron entries you did not write. Look for outbound traffic to domains your cPanel server has no business reaching — particularly anything in the Apothecary umbrella we wrote about earlier today, and particularly anything fronting on Cloudflare with a /software-distribution-* path signature.

If you run a managed cPanel — your hosting provider's WHM — ask them, in writing, what their incident-response posture is on this CVE. The answer should not be "we patched it." The answer should be "we patched it and ran detection across our shared infrastructure for the 67-day window of exposure." Anyone giving you the first answer without the second is not finished with this CVE yet.

The architectural lesson, the part we keep harping on.

The exploit harvester is good for what it does. It is also a trailing-edge tool. The leading-edge tools — what we call the left-of-boom layer — are different.

Our PreCog Sweep does novelty detection on observable infrastructure changes — new domain registrations, fresh certificate issuances, fresh IP allocations associated with known-bad operator patterns. PreCog caught the Apothecary cluster at hour zero of its 24-hour deployment window because the operator's batch-registration pattern lit up the signal. PreCog cannot catch a CVE that is being silently exploited against patched hosts that look the same from the outside.

That is the gap. That is the gap the entire industry has. Nobody — vendor, government, researcher — has a left-of-boom signal for "operator already has zero-day, is using it quietly against high-value targets." The signal that finally lights up is when the bug becomes commodity, when somebody publishes a PoC and the long tail of opportunistic scanners floods in. By the time we see 44,000 IPs scanning, the original operators have already moved on to the next zero-day.

There is no clean fix for this. Anyone telling you they have left-of-boom detection on silent zero-day exploitation is selling something.

What we can offer, with the 95-percent cap held tight: the closer your detection lives to the actual operator infrastructure — the C2 domains, the registration patterns, the path signatures — the earlier you catch them when they pivot from exploiting one CVE to exploiting another. The Apothecary cluster we caught this morning will, eventually, show up using cPanel-CVE-2026-41940-compromised hosts as part of its delivery infrastructure. We do not know when. We do know that when it happens, the path signature /software-distribution-dxnp2c7 will give it away regardless of what new vulnerability the operator is leveraging at the front end.

That is not zero-day detection. That is operator-continuity detection. It is the second-best thing, and at the end of a long Friday, it is what we have.

The harvester caught the PoC. The PoC drop is May 1. The exploitation window opened February 23. We caught what we could catch with the architecture we have.

Sixty-seven days is a long time for a door to be open without anyone outside the operator ring noticing. That is the part of this story that keeps the cap honest.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com