Hackers have been exploiting a critical-severity authentication bypass vulnerability within the cPanel & WHM (WebHost Supervisor) server and website administration platform for months.
Tracked as CVE-2026-41940 (CVSS rating of 9.8), the flaw was disclosed on April 28, when cPanel urged rapid patching, warning that every one software program variations after 11.40 are affected, however refraining from sharing technical info.
Affecting the login movement, the security defect might enable distant, unauthenticated attackers to achieve administrative entry to the management panel, basically resulting in system takeover.
Because the Canadian Centre for Cyber Safety factors out, profitable exploitation of the difficulty might enable an attacker to change server configurations and probably compromise all web sites on shared internet hosting servers.
“Profitable exploitation of CVE-2026-41940 grants an attacker management over the cPanel host system, its configurations and databases, and web sites it manages,” cybersecurity agency Rapid7 notes.
A Shodan search, the corporate warns, exhibits round 1.5 million internet-accessible cPanel situations that could be uncovered to assaults.
Analyzing CVE-2026-41940, assault floor administration agency WatchTowr found that upon a failed login try, the cPanel service daemon would write a pre-authentication session file to the disk, and that an attacker might manipulate a cookie in order that attacker-controlled credentials are written to it in plaintext.
Basically, the bug permits an attacker to inject particular characters by way of an authorization header to jot down particular parameters to the session file, after which set off a reload of the file to authenticate utilizing the injected credentials.
Based on a Reddit publish by internet hosting supplier KnownHost, the vulnerability has been exploited within the wild since February 23, 2026.
Instantly after being notified of the difficulty, KnownHost, HostPapa, InMotion, Namecheap, and different internet hosting suppliers blocked entry to cPanel & WHM ports to securely deploy patches.
The fixes had been included in cPanel & WHM variations 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.136.0.5, and 11.134.0.20, and in WP Squared model 136.1.7.
“In case your server just isn’t working a supported model of cPanel that’s eligible for this replace, it’s extremely really helpful that you simply work towards updating your server as quickly as potential, as it might even be affected,” cPanel notes in its advisory.
cPanel has revealed a detection script, and WatchTowr launched a Detection Artifact Generator to assist directors establish indicators of compromise.
