🚨 CRITICAL ALERT: Active Zero-Day Exploits in cPanel & WHM
Threat Level: CRITICAL | A critical authentication bypass vulnerability (CVE-2026-41940) affecting cPanel & WHM is actively being exploited in the wild. Attackers are bypassing authentication mechanisms to gain unauthorized administrative access to affected systems. Immediate patching is required.
Critical Vulnerabilities (CVSS ≥ 8.0)
-
CVE-2026-41940 CVSS: 9.8 (CRITICAL)
Product: cPanel & WHM versions after 11.40 (including DNSOnly and WP Squared)
Vulnerability Type: Authentication Bypass (CWE-306: Missing Authentication for Critical Function)
Description: Unauthenticated remote attackers can bypass authentication via CRLF injection in the session handling logic of the login flow. Successful exploitation grants unauthorized administrative access, bypasses MFA protections, and potentially provides root-level control over affected servers.
Attack Vector: Network-accessible; no privileges or user interaction required; low attack complexity
Active Exploitation: Yes—exploitation observed as early as February 23, 2026 (prior to public disclosure on April 28, 2026)
Exposure: Approximately 1.5 million cPanel instances exposed to the internet
View NVD | CISA KEV
âš¡ Immediate Actions Required
1. Patch Immediately (Priority: CRITICAL)
Upgrade cPanel & WHM to patched versions immediately:
• 11.110.0.97 or later
• 11.118.0.63 or later
• 11.126.0.54 or later
• 11.132.0.29 or later
• 11.134.0.20 or later
• 11.136.0.5 or later
Upgrade cPanel & WHM to patched versions immediately:
• 11.110.0.97 or later
• 11.118.0.63 or later
• 11.126.0.54 or later
• 11.132.0.29 or later
• 11.134.0.20 or later
• 11.136.0.5 or later
2. Restrict Access (Interim Mitigation)
If immediate patching is not possible, restrict network access to cPanel/WHM management ports (2082/2083/2086/2087) to trusted IP ranges via firewall rules.
If immediate patching is not possible, restrict network access to cPanel/WHM management ports (2082/2083/2086/2087) to trusted IP ranges via firewall rules.
3. Investigate for Compromise
• Inspect session files for indicators of compromise
• Audit WHM access logs for unauthorized activity
• Purge affected sessions
• Force password resets for root and WHM users
• Check for persistence mechanisms (backdoors, malicious accounts)
• Inspect session files for indicators of compromise
• Audit WHM access logs for unauthorized activity
• Purge affected sessions
• Force password resets for root and WHM users
• Check for persistence mechanisms (backdoors, malicious accounts)
4. Monitor for Exploitation
Watch for suspicious activity targeting management interfaces. A proof-of-concept exploit has been publicly released by security firm watchTowr, and widespread exploitation is expected to be imminent.
Watch for suspicious activity targeting management interfaces. A proof-of-concept exploit has been publicly released by security firm watchTowr, and widespread exploitation is expected to be imminent.
Potential Impact of Successful Exploitation
- Full unauthorized administrative access to cPanel and WHM control panels
- Complete compromise of hosted accounts and services
- Exposure of sensitive data from hosted websites and customer information
- Lateral movement within hosting infrastructure
- Deployment of malicious content, backdoors, or persistence mechanisms
- Control over all domains and databases managed by affected systems
Additional Resources
Security vendors providing detection and protection:
- Imperva Web Application Firewall provides protections against exploitation attempts
- Consult cPanel’s official security advisory for vendor-specific remediation guidance
- Technical analysis and proof-of-concept details available from watchTowr Labs
Report Status: Active threat with confirmed exploitation in the wild. CVSS score 9.8 reflects critical severity. This vulnerability impacts internet-facing hosting infrastructure globally.