A important authentication bypass vulnerability (CVE-2026-41940) in cPanel, a well-liked web-based management panel for managing webhosting accounts, is being exploited by attackers within the wild.
What’s extra, attackers didn’t have to attend for watchTowr safety researchers to release technical particulars in regards to the vulnerability – they’ve been noticed exploiting CVE-2026-41940 since February 23, and have doubtless been abusing it even earlier.
About CVE-2026-41940
CPanel, sometimes offered by shared internet hosting firms, is without doubt one of the most generally used internet hosting management panels. WHM (Internet Host Supervisor) is utilized by internet hosting suppliers use to handle a number of cPanel accounts on a server.
CVE-2026-41940 stems from lacking authentication for a important perform, and permits unauthenticated distant attackers to realize unauthorized entry to the management panel.
“Earlier than authentication happens, cpsrvd (the cPanel service daemon) writes a brand new session file to the disk. The vulnerability permits an attacker to govern the whostmgrsession cookie by omitting an anticipated phase of the cookie worth, avoiding the encryption course of sometimes utilized to an attacker-provided worth,” Rapid7 researcher Ryan Emmons explained.
“Attackers can inject uncooked rn characters by way of a malicious fundamental authorization header, and the system subsequently writes the session file with out sanitizing the information. Consequently, the attacker can insert arbitrary properties, equivalent to person=root, into their session file. After triggering a reload of the session from the file, the attacker establishes administrator-level entry for his or her token.”
In-the-wild exploitation and vulnerability disclosure
WebPros Worldwide L.L.C., the agency that develops cPanel, printed a security advisory for CVE-2026-41940 on April 28, and launched safety updates a couple of hours later.
According to Daniel Pearson, the CEO of managed internet hosting supplier KnownHost, they had been notified of this across the similar time. They instantly began blocking WHM/cPanel login ports throughout the KnownHost community, after which began implementing the safety updates.
Different internet hosting suppliers did the identical.
The disclosure timeline for CVE-2026-41940 is a bit murky. Based on a webhosting.today supply, the vulnerability “had been reported to cPanel roughly two weeks earlier than the April 28 public advisory, and (…) cPanel’s preliminary response was that nothing was mistaken.”
Whether or not the reporter knew in regards to the in-the-wild exploitation is unclear. It’s additionally unclear why WebPros didn’t talk the existence of such a important vulnerability to internet hosting suppliers sooner and offered mitigation steps whereas they had been engaged on fixes.
What to do?
CVE-2026-41940 impacts all cPanel and WHM variations after v11.40, and v136.1.7 of WP Squared, a managed WordPress internet hosting platform constructed on high of cPanel.
“Profitable exploitation of CVE-2026-41940 grants an attacker management over the cPanel host system, its configurations and databases, and web sites it manages,” Rapid7’s Emmons famous, and added that Shodan exhibits roughly 1.5 million cPanel situations uncovered to the web (although it’s unknown what number of of these are weak).
The safety advisory counsels updating to a patched cPanel model, verifying the cPanel construct model, and restarting the cPanel service (cpsrvd).
Mitigations embrace blocking inbound visitors on ports 2083, 2087, 2095, and 2096 on the firewall and stopping the cpsrvd and cpdavd companies.
The corporate has additionally provided a script for patrons to seek for identified indicators of compromise.
“Not less than on our community and the circumstances I’ve reviewed, any exploit has amounted to ‘let me see if this works’ after which no different adjustments/makes an attempt previous that,” Pearson told clients.
“After an intensive overview we’ll attain out to anybody impacted immediately, however once more I’ve seen no indicators of any energetic compromise, injected payload or something apart from confirming entry.”
Subscribe to our breaking information e-mail alert to by no means miss out on the most recent breaches, vulnerabilities and cybersecurity threats. Subscribe right here!