HackWatch
! High riskVU Vulnerability

Critical cPanel Flaw Exposes Control Panels Without Credentials, New Phishing Toolkit Challenges MFA Security

Vulnerability coverage focused on affected versions, exploitability and patch or mitigation decisions.

Exploitability matters here. Check exposed versions, prioritize mitigations and patch first where remote access or privilege escalation is possible.
Critical cPanel Flaw Exposes Control Panels Without Credentials, New Phishing Toolkit Challenges MFA Security - HackWatch vulnerability alert image
HackWatch vulnerability alert image for: Critical cPanel Flaw Exposes Control Panels Without Credentials, New Phishing Toolkit Challenges MFA Security
Marcin Pocztowski

Infrastructure Security Editor

Marcin Pocztowski

Infrastructure and Vulnerability Response

By: Artur Ślesik

Published: May 04, 2026

Incident status: Resolved or patched

Corroborating sources: 1

Technical review credentials: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.

The published article is checked against public sources before publication, and material corrections are reflected in the article update date.

Technical reviewer note: Marcin Pocztowski reviewed this alert on May 04, 2026 for server impact, affected-version evidence, privilege or code-execution claims and realistic patch priority. His remediation note follows the same discipline he would use around Juniper routers and production servers: verify scope, preserve useful logs, reduce exposed management access and only then apply the fix or compensating control supported by the 1 corroborating source.

Review our editorial policy or send corrections to [email protected].

Resolved or patched. Source coverage indicates that a fix or formal remediation has been published. Verify that updates are applied in your environment.

A critical vulnerability in cPanel and WebHost Manager allows unauthorized access without credentials, while the emergence of EvilTokens phishing toolkit undermines multi-factor authentication. These developments highlight growing risks for web hosting users and organizations relying on MFA.

GLOBAL, May 4, 2026, 07:01 UTC

A critical security flaw discovered in cPanel and WebHost Manager (WHM) enables attackers to bypass authentication and access control panels without credentials, according to a recent advisory. This vulnerability affects nearly all versions of the software, widely used by web hosting providers.

The flaw's exploitation could allow attackers to take full control of hosting accounts, potentially leading to website defacement, data theft, or deployment of malicious code. Given cPanel's prevalence, the risk extends to thousands of organizations and individuals relying on these platforms for website management.

Simultaneously, cybersecurity researchers have identified a new phishing-as-a-service toolkit named EvilTokens, which surfaced in mid-February 2026. EvilTokens leverages social engineering tactics to circumvent multi-factor authentication (MFA), traditionally considered a robust defense against account compromise.

EvilTokens challenges the assumption that MFA alone can prevent unauthorized access, demonstrating that sophisticated phishing campaigns can still trick users into revealing session tokens or one-time passwords. This development signals a shift in attacker strategies, emphasizing the need for layered security measures beyond MFA.

The convergence of these threats underscores a critical moment for cybersecurity in web hosting and account protection. Users of cPanel and WHM are urged to apply patches and updates immediately to close the authentication bypass vulnerability.

Hosting providers should prioritize monitoring for unusual access patterns and consider implementing additional safeguards such as IP whitelisting and anomaly detection to mitigate exploitation risks.

For organizations relying on MFA, awareness campaigns and enhanced phishing resistance training are recommended to reduce the risk posed by tools like EvilTokens.

These incidents also highlight the importance of continuous threat intelligence and rapid response capabilities as attackers evolve their methods.

While patches for the cPanel vulnerability are being distributed, the window for exploitation remains open, posing a high risk to unpatched systems.

The effectiveness of MFA will depend increasingly on user vigilance and supplementary security controls, given the rise of phishing techniques targeting token interception.

Security teams should reassess their authentication frameworks and incident response plans in light of these emerging threats.

Red Hot Cyber, a cybersecurity news outlet, has been tracking these developments and providing detailed analysis on their platform.

The evolving landscape demands that both individual users and enterprises stay informed and proactive to defend against sophisticated cyberattacks exploiting software flaws and social engineering.

Source: https://www.redhotcyber.com/

Sources used for this article

redhotcyber.com

Related alerts

Recommended next steps

Readers following this phishing alerts story usually need both context and action. Use the tools and recovery pages below to verify exposure, secure accounts and document the incident path.

Free Phishing Link Checker and Domain Intelligence Report

The URL checker expands a suspicious link into a practical domain intelligence report with structure, redirects, DNS, TLS, ASN, hosting and registration context.

Open guide

Email Reputation and Sender Review

The email review workflow scores sender risk, free-mail abuse, urgency markers and phishing-style language to help triage suspicious campaigns.

Open guide

Phishing Recovery Center and Account Takeover Guides

The recovery center is built around the highest-urgency user questions: am I exposed, what should I do right now, how do I regain access and what must I lock down next.

Open guide

Incident Report Intake

The incident intake form helps HackWatch collect early reader signals so new phishing and fraud clusters can be reviewed faster and escalated into coverage.

Open guide

High-risk phishing alerts

Open the phishing archive focused on urgent credential-theft campaigns, fake login pages and account-recovery triggers.

Open incident hub

Phishing alerts

Explore the dedicated category archive to review similar incidents, compare tactics and find additional response coverage tied to this incident type.

Open category archive
Artur Ślesik

Real reviewer profile

Artur Ślesik

Founder of HackWatch.io and WEB-NET; Editorial Reviewer

Open reviewer profile

Artur Ślesik is the founder of HackWatch.io and WEB-NET, a real named reviewer with 17+ years of experience building and maintaining web portals.

Coverage focus: Secure web portals, phishing prevention, user-facing recovery guides and practical web-security review

Editorial disclosure: This is a real named founder profile. HackWatch does not claim unverified security certifications, SOC employment history or CERT incident-response credentials for Artur. Security guidance is grounded in public sources, HackWatch tooling and first-hand web-portal experience.

Artur leads this phishing alerts coverage lane at HackWatch. This article is maintained as part of the ongoing editorial watch around "Critical cPanel Flaw Exposes Control Panels Without Credentials, New Phishing Toolkit Challenges MFA Security".

Secure web portals and publishing operationsPhishing prevention and account-safety guidanceUser-facing recovery playbooks