Critical cPanel & WHM Vulnerability Exploited as Zero-Day for Months
A critical authentication bypass vulnerability (CVE-2026-41940) in cPanel & WHM has been exploited as a zero-day for months, allowing remote unauthenticated attackers to gain administrative access to affected servers. This flaw affects all versions after 11. 40 and enables attackers to take control of the cPanel host system, modify server configurations, and potentially compromise all websites on shared hosting servers. The vulnerability involves manipulation of session files and cookies during the login flow. Multiple hosting providers have blocked access and deployed patches included in various cPanel versions starting from 11. 86. 0. 41 onward. Detection tools have been released to identify signs of compromise. Immediate patching is strongly recommended to mitigate the risk.
AI Analysis
Technical Summary
CVE-2026-41940 is a critical authentication bypass vulnerability in cPanel & WHM that allows remote attackers to gain administrative access without authentication. The flaw arises from the cPanel service daemon writing pre-authentication session files to disk upon failed login attempts, which can be manipulated via specially crafted authorization headers to inject attacker-controlled credentials in plaintext. This enables attackers to reload the session file and authenticate as administrators. The vulnerability affects all cPanel versions after 11.40. Exploitation can lead to full system takeover, including control over server configurations, databases, and hosted websites. The issue was actively exploited since at least February 2026. Patches have been released in multiple cPanel versions starting from 11.86.0.41, and hosting providers have taken protective measures by blocking access to vulnerable ports. Detection scripts and tools are available to help identify compromised systems.
Potential Impact
Successful exploitation grants attackers administrative access to cPanel & WHM servers, enabling full control over the host system, its configurations, databases, and all websites managed by the server. This can lead to complete system takeover and compromise of shared hosting environments. The vulnerability has been actively exploited in the wild for several months, increasing the risk of widespread impact. Approximately 1.5 million internet-accessible cPanel instances may be exposed, amplifying the potential scale of attacks.
Mitigation Recommendations
Official patches addressing this vulnerability have been released in cPanel & WHM versions 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.136.0.5, and 11.134.0.20, as well as WP Squared version 136.1.7. It is strongly recommended to immediately update to one of these patched versions. If running unsupported versions, upgrading to a supported version eligible for the update is highly advised. Hosting providers have also mitigated risk by blocking access to cPanel & WHM ports during patch deployment. Detection scripts published by cPanel and WatchTowr should be used to identify signs of compromise. Patch status is confirmed as official fix available.
Critical cPanel & WHM Vulnerability Exploited as Zero-Day for Months
Description
A critical authentication bypass vulnerability (CVE-2026-41940) in cPanel & WHM has been exploited as a zero-day for months, allowing remote unauthenticated attackers to gain administrative access to affected servers. This flaw affects all versions after 11. 40 and enables attackers to take control of the cPanel host system, modify server configurations, and potentially compromise all websites on shared hosting servers. The vulnerability involves manipulation of session files and cookies during the login flow. Multiple hosting providers have blocked access and deployed patches included in various cPanel versions starting from 11. 86. 0. 41 onward. Detection tools have been released to identify signs of compromise. Immediate patching is strongly recommended to mitigate the risk.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-41940 is a critical authentication bypass vulnerability in cPanel & WHM that allows remote attackers to gain administrative access without authentication. The flaw arises from the cPanel service daemon writing pre-authentication session files to disk upon failed login attempts, which can be manipulated via specially crafted authorization headers to inject attacker-controlled credentials in plaintext. This enables attackers to reload the session file and authenticate as administrators. The vulnerability affects all cPanel versions after 11.40. Exploitation can lead to full system takeover, including control over server configurations, databases, and hosted websites. The issue was actively exploited since at least February 2026. Patches have been released in multiple cPanel versions starting from 11.86.0.41, and hosting providers have taken protective measures by blocking access to vulnerable ports. Detection scripts and tools are available to help identify compromised systems.
Potential Impact
Successful exploitation grants attackers administrative access to cPanel & WHM servers, enabling full control over the host system, its configurations, databases, and all websites managed by the server. This can lead to complete system takeover and compromise of shared hosting environments. The vulnerability has been actively exploited in the wild for several months, increasing the risk of widespread impact. Approximately 1.5 million internet-accessible cPanel instances may be exposed, amplifying the potential scale of attacks.
Mitigation Recommendations
Official patches addressing this vulnerability have been released in cPanel & WHM versions 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.136.0.5, and 11.134.0.20, as well as WP Squared version 136.1.7. It is strongly recommended to immediately update to one of these patched versions. If running unsupported versions, upgrading to a supported version eligible for the update is highly advised. Hosting providers have also mitigated risk by blocking access to cPanel & WHM ports during patch deployment. Detection scripts published by cPanel and WatchTowr should be used to identify signs of compromise. Patch status is confirmed as official fix available.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/critical-cpanel-whm-vulnerability-exploited-as-zero-day-for-months/","fetched":true,"fetchedAt":"2026-04-30T11:21:22.152Z","wordCount":1017}
Threat ID: 69f33b32cbff5d8610cfce46
Added to database: 4/30/2026, 11:21:22 AM
Last enriched: 4/30/2026, 11:21:30 AM
Last updated: 5/1/2026, 5:11:37 AM
Views: 18
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.