Owned global infrastructure and in-house systems teams allowed InMotion Hosting to block exposure across three data centers and patch the entire fleet during a critical cPanel & WHM zero-day, protecting 99% of potentially affected customers without service disruption.
VIRGINIA BEACH, Va., May 26, 2026 /PRNewswire/ — InMotion Hosting announced the successful fleet-wide resolution of CVE-2026-41940, a critical pre-authentication authentication bypass in cPanel & WHM that put roughly 1.5 million internet-exposed servers at risk globally. Within hours of public disclosure on April 28, 2026, the company’s in-house network operations and systems teams blocked exposure at the network layer across its U.S. East, U.S. West, and European data centers, and pushed patches across every eligible server in its fleet. The vast majority of customer websites, applications, databases, and email continued to operate normally throughout the response, while in-house teams worked directly with the small subset of customers whose environments required hands-on remediation.
“Because we own and operate our own global network infrastructure, our network operations team shut down external access to the vulnerable ports at our network edge within hours of disclosure. While other hosting providers were scrambling to implement server-level blocks, we moved quickly to protect our entire fleet before widespread exploits were in the wild. Out of 144,870 customers potentially exposed to this vulnerability, 99% were protected without service disruption, and our in-house teams patched or mitigated the remaining environments directly.”
Erik Soroka, Director of IT and Data Center Operations, InMotion Hosting
CVE-2026-41940 carries a Common Vulnerability Scoring System (CVSS) score of 9.8, the highest severity rating before a perfect 10. According to the technical analysis published by watchTowr Labs, the flaw chained three separate weaknesses in cPanel & WHM that allowed an attacker on the network to gain full root-level control of a server without a valid username, password, or two-factor authentication prompt. The vulnerability affected nearly every web host running cPanel, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities catalog on April 30, 2026 after evidence of active exploitation surfaced.
InMotion Hosting’s response moved on two parallel tracks. First, the network operations team closed the affected service ports at the network edge across all three data center regions, removing the attack surface for the entire fleet before patches were available. Second, in-house engineers iterated on automated scripts to push the official cPanel update across every eligible server, restoring port access after each server was confirmed on a patched build. Because customer-facing services run on standard ports that were never touched, websites, applications, databases, email, and the Account Management Panel (AMP) remained fully operational throughout the response. For the small portion of customers whose environments required additional remediation, including a subset migrated to fresh hardware, the company provided direct outreach with new server details, migration checklists, and 24/7 access to its in-house support team.
“For most of our managed customers, this was handled without them needing to lift a finger. For the small portion whose environments required direct attention, our team reached out proactively with clear next steps and stayed engaged until everything was resolved. That hands-on accountability is what a managed-host relationship should look like.”
John Joseph, Director of Customer Success, InMotion Hosting
The April advisory was not an isolated event, and InMotion Hosting’s patching cadence has continued. On May 13, 2026, cPanel released a second security update addressing five additional vulnerabilities (CVE-2026-29205, CVE-2026-29206, CVE-2026-32991, CVE-2026-32992, and CVE-2026-32993) with severity ratings up to High. InMotion Hosting applied that update across all managed Shared, WordPress, Reseller, VPS, and Dedicated environments on the day of release, again with no customer action required and no impact to running services. Self-managed VPS and Dedicated customers received the same patch guidance, with 24/7 human support available for any questions.
InMotion Hosting has taken similar action on Dirty Frag, a recently disclosed local privilege escalation vulnerability in the Linux kernel that allows an unprivileged local user to gain root access on affected systems. The vulnerability has had hosting providers scrambling to contain kernel exposure, with industry reporting indicating that comprehensive upstream patches were still being finalized at the time of disclosure. InMotion Hosting’s in-house systems teams deployed a fleet-wide mitigation that blocks the affected kernel modules from loading across the Dedicated server fleet, with VPS customers automatically protected at the underlying node level. The work was completed without service disruption and without requiring customer action, consistent with the company’s standing approach to security: address issues as soon as they are exposed or reported, in-house, without waiting on a third party.
Industry observers note that AI is changing how security threats develop, shortening the time between vulnerability disclosure and active exploitation and increasing the demands on hosting providers to respond quickly. InMotion Hosting remains committed to keeping its customers safe as the security environment shifts, and to investing in the people, infrastructure, and incident response capability needed to respond to whatever comes next.
The speed and consistency of the response reflects InMotion Hosting’s independent, founder-led structure. Without a hyperscale provider or outside vendor in the middle, in-house teams own every step: the network changes, the patch validation, and the customer communication that follows. Customers on Shared, WordPress, Reseller, Managed VPS, and Managed Dedicated plans receive fixes automatically. Self-managed Dedicated and VPS customers receive clear guidance for verifying their patch level and rotating credentials, with 24/7 human support available throughout. For full technical details, customers can review the official cPanel & WHM security advisory and the InMotion Hosting technical follow-up article.
About InMotion Hosting
InMotion Hosting delivers high-performance web hosting, cloud infrastructure, and managed services to businesses, developers, and entrepreneurs around the world. Privately held and proudly independent since 2001, the company serves over 170,000 customers with cutting-edge technology, 24/7 expert human support, and a deep commitment to open source innovation. InMotion Hosting is driven by the belief that every customer deserves exceptional support.
For more information, visit inmotionhosting.com or follow InMotion Hosting on Facebook, X, LinkedIn, and YouTube.
Media Contact:
Carrie Smaha
[email protected]
(757) 693-5451
SOURCE InMotion Hosting
