Critical cPanel and WHM bug exploited as a zero-day, PoC now available
by Bill Toulas · BleepingComputerThe critical CVE-2026-41940 authentication bypass vulnerability in cPanel, WHM, and WP Squared is being actively exploited in the wild and has been leveraged in attempts since late February.
It is unclear when exploitation started, but KnownHost, a hosting provider that uses cPanel, said the day the vulnerability was disclosed that "successful exploits have been seen in the wild" before a fix became available.
However, KnownHost CEO Daniel Pearson stated that the company has "seen execution attempts as early as 2/23/2026."
Newly published technical details, which can be used to develop an exploit, reveal that the issue is a "Carriage Return Line Feed (CRLF) injection in the login and session loading processes of cPanel & WHM."
cPanel released a fix on April 28, following pressure from hosting providers. To protect customers, Namecheap temporarily blocked connections to cPanel and WHM ports 2083 and 2087 until patches became available.
A report from offensive security company watchTowr explains that the flaw is caused by improper session handling in cPanel & WHM, where user-controlled input from the Authorization header is written into server-side session files before authentication and without proper sanitization.
watchTowr researchers also published a detailed analysis on how the bug can be triggered to log into the system without validating the provided password, which can be used to develop a working exploit.
According to Rapid7, Shodan internet scans show that there are approximately 1.5 million cPanel instances exposed online. However, there is no data on how many are vulnerable to CVE-2026-41940.
“Successful exploitation of CVE-2026-41940 grants an attacker control over the cPanel host system, its configurations and databases, and websites it manages,” Rapid7 warns.
cPanel has updated its security advisory, noting that the vulnerability also impacts WP Squared, a comprehensive management panel for WordPress hosting built on cPanel. Furthermore, unlike initially stated, only cPanel versions after 11.40 are affected by the security issue.
The vendor strongly recommends that all customers restart the ‘cpsrvd’ service after installing the latest releases of the software:
Affected releases and fixed versions are:
- cPanel/WHM 11.110.0 → fixed in 11.110.0.97
- cPanel/WHM 11.118.0 → fixed in 11.118.0.63
- cPanel/WHM 11.126.0 → fixed in 11.126.0.54
- cPanel/WHM 11.132.0 → fixed in 11.132.0.29
- cPanel/WHM 11.134.0 → fixed in 11.134.0.20
- cPanel/WHM 11.136.0 → fixed in 11.136.0.5
- WP Squared 11.136.1 → fixed in 11.136.1.7
If patching isn’t immediately possible, customers should at least block external access to ports 2083, 2087, 2095, and 2096, or stop the cpsrvd and cpdavd cPanel internal core services.
The vendor also provided a detection script to check for compromise. If indicators are found, it’s recommended to purge sessions, reset all credentials, audit logs, and investigate persistence mechanisms.
watchTowr has also published a Detection Artifact Generator script that can be used to verify if cPanel and WHM instances are vulnerable to CVE-2026-41940.
99% of What Mythos Found Is Still Unpatched.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.