Vital cPanel and WHM bug exploited as a zero-day, PoC now accessible

The crucial CVE-2026-41940 authentication bypass vulnerability in cPanel, WHM, and WP Squared is being actively exploited within the wild and has been leveraged in makes an attempt since late February.

It’s unclear when exploitation began, however KnownHost, a internet hosting supplier that makes use of cPanel, stated the day the vulnerability was disclosed that “profitable exploits have been seen within the wild” earlier than a repair turned accessible.

Nonetheless, KnownHost CEO Daniel Pearson said that the corporate has “seen execution makes an attempt as early as 2/23/2026.”

Newly printed technical particulars, which can be utilized to develop an exploit, reveal that the difficulty is a “Carriage Return Line Feed (CRLF) injection within the login and session loading processes of cPanel & WHM.”

cPanel launched a repair on April 28, following strain from internet hosting suppliers. To guard clients, Namecheap briefly blocked connections to cPanel and WHM ports 2083 and 2087 till patches turned accessible.

A report from offensive security firm watchTowr explains that the flaw is attributable to improper session dealing with in cPanel & WHM, the place user-controlled enter from the Authorization header is written into server-side session information earlier than authentication and with out correct sanitization.

watchTowr researchers additionally printed an in depth evaluation on how the bug might be triggered to log into the system with out validating the supplied password, which can be utilized to develop a working exploit.

In response to Rapid7, Shodan web scans present that there are roughly 1.5 million cPanel situations uncovered on-line. Nonetheless, there is no such thing as a information on what number of are weak to CVE-2026-41940.

“Profitable exploitation of CVE-2026-41940 grants an attacker management over the cPanel host system, its configurations and databases, and web sites it manages,” Rapid7 warns.

cPanel has up to date its security advisory, noting that the vulnerability additionally impacts WP Squared, a complete administration panel for WordPress internet hosting constructed on cPanel. Moreover, not like initially said, solely cPanel variations after 11.40 are affected by the security situation.

The seller strongly recommends that each one clients restart the ‘cpsrvd’ service after putting in the most recent releases of the software program:

Affected releases and stuck variations are:

• cPanel/WHM 11.110.0 → fastened in 11.110.0.97
• cPanel/WHM 11.118.0 → fastened in 11.118.0.63
• cPanel/WHM 11.126.0 → fastened in 11.126.0.54
• cPanel/WHM 11.132.0 → fastened in 11.132.0.29
• cPanel/WHM 11.134.0 → fastened in 11.134.0.20
• cPanel/WHM 11.136.0 → fastened in 11.136.0.5
• WP Squared 11.136.1 → fastened in 11.136.1.7

If patching isn’t instantly doable, clients ought to no less than block exterior entry to ports 2083, 2087, 2095, and 2096, or cease the cpsrvd and cpdavd cPanel inside core providers.

The seller additionally supplied a detection script to test for compromise. If indicators are discovered, it’s really helpful to purge classes, reset all credentials, audit logs, and examine persistence mechanisms.

watchTowr has additionally printed a Detection Artifact Generator script that can be utilized to confirm if cPanel and WHM situations are weak to CVE-2026-41940.