A critical cPanel & WHM authentication bypass vulnerability has been actively exploited for months, posing significant risks to countless servers globally. This vulnerability, identified as CVE-2026-41940 with a CVSS score of 9.8, was publicly disclosed on April 28. cPanel has since urged immediate patching of all software versions post 11.40, although detailed technical information remains undisclosed.
Understanding the Vulnerability
This security flaw impacts the login process, potentially enabling remote attackers to gain administrative access without authentication. Such unauthorized access could lead to full system control, compromising server configurations and all hosted websites. The Canadian Centre for Cyber Security emphasizes the severity, noting that successful exploitation permits attackers to manipulate server settings and potentially jeopardize multiple websites on shared hosting environments.
Impact and Response
Cybersecurity firm Rapid7 highlights the vulnerability’s potential reach, with approximately 1.5 million cPanel instances accessible on the internet. Attack surface management company WatchTowr discovered that the vulnerability allows attackers to exploit a failed login attempt by manipulating session files through cookie modifications. This method could enable attackers to inject credentials and gain unauthorized access.
Evidence of the vulnerability being exploited in the wild dates back to February 23, 2026, according to a Reddit post by KnownHost. In response, major hosting providers like KnownHost, HostPapa, InMotion, and Namecheap swiftly restricted access to cPanel & WHM ports to facilitate secure patch deployment. The necessary fixes have since been incorporated into several cPanel & WHM versions, ranging from 11.86.0.41 to 11.136.0.5, and WP Squared version 136.1.7.
Mitigation and Future Considerations
cPanel advises users to update to supported software versions to mitigate risks associated with this flaw. They have released a detection script, and WatchTowr has provided a Detection Artifact Generator to aid in identifying signs of compromise. Such tools are crucial for administrators aiming to secure their systems against potential attacks.
Moving forward, it is imperative for web hosting services and server administrators to remain vigilant, ensuring their systems are equipped with the latest security updates. Rapid response and regular patching are essential strategies in safeguarding against evolving cybersecurity threats.
