Exploited as ZeroDay CVE-2026-41940 (9.8)

Critical vulnerability in cPanel and WHM that allows attackers to bypass authentication and gain root access to servers for which patches are available. The cPanel and WebHost Manager (WHM) control panel help manage properties for 70 million domains approximately, as per reports. Both cPanel and WHM are both Linux-based control panels. Incase of cPanel is used to manage websites, databases, file transfers, email configurations, and domains, while WHM is used for servers.

The vulnerability has been rated as critical with severity of CVE-2026-41940 (9.8) and affected every single supported version of the software until patch was released.

ZeroDay Exploitation

CVE-2026-41940 (9.8) is a zeroday exploit

A zero-day exploit is a cyberattack vector that takes advantage of an unknown or unaddressed security flaw in any system’s software, hardware or firmware. “Zero day” refers to the fact that the software or device vendor has zero days to fix the flaw because malicious actors can already use it to access vulnerable systems.

Attack scenario

Surface management firm WatchTowr found while analyzing that cPanel service daemon would write a pre-authentication session file to the disk. Attacker could manipulate a cookie so that attacker-controlled credentials are written to it in plaintext.

They found the bug allows an attacker to inject specific characters via an authorization header to write specific parameters to the session file, and then trigger a reload of the file to authenticate using the injected credentials.

Impact of Vulnerability

While full technical details have not been released, the flaw involves authentication mechanisms that may allow attackers to bypass login checks and gain unauthorized access. 

WHM and cpPanel, both the products are among the most widely deployed hosting control panels and popular with many hosting providers for their standardized interfaces. There is an ease of use for non-technical users, and deep integration with common hosting stacks.

Namecheap issued statement “We regret to inform users that a critical security vulnerability has been identified in cPanel software affecting all currently supported versions,” and temporarily blocked access to ports 2083 and 2087 used for WHM and cPanel to protect customers until patches were available.

cPanel published a security bulletin informing that the security issue had been addressed in the following product versions:

• 11.110.0.97
• 11.118.0.63
• 11.126.0.54
• 11.132.0.29
• 11.136.0.5
• 11.134.0.20

To install a safe version, the vendor recommends that administrators execute the command /scripts/upcp –force, which runs the cPanel update process and forces it to execute even if the system thinks it already runs on the latest version.

Servers running an unsupported version of cPanel are ineligible for security updates. In this case, administrators are recommended to upgrade to a supported version as soon as possible.

The vulnerability also affects WP Squared, a WordPress hosting platform owned by cPanel.

Successfully exploiting CVE-2026-41940, which can be summarized as a carriage return line feed (CRLF) flaw – meaning the application that was attacked does not properly sanitize user-supplied input – involves just a few steps. 

Patching as Remediation

In case of cPanel and WHM, it is important to get patching at earliest considering its severity and given the likelihood of zero-day exploitation.

For defenders if they are running cPanel’s detection script can help understand whether it’s just a patch they need, or if it’s pull the cables out time.

Harden systems by disabling unnecessary services, applying secure configurations, and deploying file integrity monitoring.

cPanel has published a detection script, and WatchTowr released a Detection Artifact Generator to help administrators identify signs of compromise

How can defenders and developers can implement security back ups in cases such as Cpanel vulnerability?

Such vulnerability allows securing management layers as a priority for organizations operating shared or multi-tenant environments. 

Do you remember the Stryker incident that highlighted an increasingly common pattern in modern intrusions. Attackers now focus on identity access and administrative control planes.

• Once attackers gain access to identity systems, they can:
• Disrupt operations through management infrastructure
• Expand privileges (that is where zero trust is required)
• Access sensitive data
• Move laterally through administrative protocols

Sources: cPanel, WHM emergency update fixes critical auth bypass bug

Sources: Critical cPanel, WHM flaw probs exploited as 0-day, pros say • The Register

Sources: Critical cPanel & WHM Vulnerability Exploited as Zero-Day for Months – SecurityWeek