top of page
perceptive_background_267k.jpg

Critical cPanel and WHM bug exploited as a zero-day, PoC now available

Published:

30 April 2026 at 11:40:31

Alert date:

30 April 2026 at 12:00:53

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Web Technologies, Zero-Day Vulnerabilities, Identity & Access

A critical authentication bypass vulnerability (CVE-2026-41940) in cPanel, WHM, and WP Squared is being actively exploited as a zero-day since late February. The vulnerability allows attackers to bypass authentication mechanisms in these popular web hosting control panel systems. Proof-of-concept exploit code is now publicly available, increasing the risk of widespread exploitation. Organizations using affected cPanel and WHM installations are at immediate risk and should apply security patches as soon as they become available.

Technical details

CVE-2026-41940 is a Carriage Return Line Feed (CRLF) injection vulnerability in the login and session loading processes of cPanel & WHM. The flaw is caused by improper session handling where user-controlled input from the Authorization header is written into server-side session files before authentication and without proper sanitization. This allows attackers to bypass authentication without validating passwords and gain control over the cPanel host system, its configurations, databases, and managed websites.

Mitigation steps:

1. Update to the latest fixed versions of cPanel/WHM or WP Squared immediately. 2. Restart the 'cpsrvd' service after installing updates. 3. If patching isn't possible, block external access to ports 2083, 2087, 2095, and 2096, or stop the cpsrvd and cpdavd cPanel internal core services. 4. Use the vendor-provided detection script to check for compromise. 5. If indicators are found: purge sessions, reset all credentials, audit logs, and investigate persistence mechanisms. 6. Use watchTowr's Detection Artifact Generator script to verify vulnerability status.

Affected products:

cPanel/WHM 11.110.0 (fixed in 11.110.0.97)
cPanel/WHM 11.118.0 (fixed in 11.118.0.63)
cPanel/WHM 11.126.0 (fixed in 11.126.0.54)
cPanel/WHM 11.132.0 (fixed in 11.132.0.29)
cPanel/WHM 11.134.0 (fixed in 11.134.0.20)
cPanel/WHM 11.136.0 (fixed in 11.136.0.5)
WP Squared 11.136.1 (fixed in 11.136.1.7)

Related links:

https://www.reddit.com/r/cpanel/comments/1syyajp/comment/oiz12pp/?utm_source=BC
https://www.bleepingcomputer.com/news/security/cpanel-whm-emergency-update-fixes-critical-auth-bypass-bug/
https://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass/
http://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026
https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py

Related CVE's:

Related threat actors:

IOC's:

Ports 2083, 2087, 2095, 2096

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page