πŸ”¬ Assessment

cPanel and WHM CVE-2026-41940 β€” CVSS 9.8 Authentication Bypass Exploited as Zero-Day Before Patch

CVE-2026-41940, a CVSS 9.8 authentication bypass in cPanel and WHM web hosting control panel software, was exploited in the wild before the vendor issued a patch. All versions from 11.40 onwards are affected. Proof-of-concept code is now public. Web hosting providers, managed service providers, and any organisation running cPanel/WHM for server management should apply the emergency patch immediately.

4 min read
#cpanel#whm#cve-2026-41940#auth-bypass#zero-day#web-hosting#actively-exploited

A critical authentication bypass in cPanel and WHM β€” the web hosting control panel software running on an estimated 70 million domains across managed hosting providers and self-managed server infrastructure β€” was exploited as a zero-day before a patch became available. CVE-2026-41940, rated CVSS 9.8, allows unauthenticated attackers to bypass the login mechanism entirely and gain access to the server management interface. A public proof-of-concept is now available, significantly expanding the attacker pool beyond the initial exploitation group.

The Vulnerability

CVE-2026-41940 is an authentication logic flaw in the WHM (Web Host Manager) and cPanel login flow affecting all versions from 11.40 onwards. The flaw exists in how the session validation handler processes specific sequences of authentication steps β€” an attacker can craft a request that causes the authentication state machine to advance past the credential verification step without supplying valid credentials.

The impact is complete: a successful bypass grants the attacker full access to WHM or cPanel with the privileges of the account being targeted. On the WHM (administrative) interface, this means root-level server management access β€” the ability to create or delete hosting accounts, modify DNS zones, install software, access all hosted websites’ file systems and databases, and modify server configuration. On the cPanel (individual hosting account) interface, it provides full control over that account’s websites, email accounts, databases, and file system.

The zero-day exploitation window ran for approximately six days before cPanel’s emergency patch was available. During this window, attacks were targeted and required knowledge of valid account usernames (which can often be enumerated or are publicly known for high-value targets).

Exploitation and PoC Status

The vulnerability was first reported through a private bug bounty programme, but independent researchers reverse-engineered the flaw from scanning traffic patterns before the patch was released. A working public proof-of-concept has been published on GitHub, reducing the exploitation barrier to script-kiddie level. Automated scanning for vulnerable cPanel/WHM instances has been observed increasing sharply since the PoC publication.

Attackers who exploited the zero-day window primarily targeted managed web hosting providers β€” particularly those operating reseller hosting accounts that aggregate hundreds or thousands of customer websites behind a single WHM instance. A single successful bypass against a reseller WHM account provides access to all customer accounts managed within it.

Affected Versions and Patch

All cPanel and WHM versions from 11.40 through the unpatched builds are affected. cPanel has released an out-of-band emergency update:

ProductFixed Version
cPanel & WHM LTS120.0.24 or later
cPanel & WHM STABLE122.0.16 or later
cPanel & WHM CURRENT124.0.6 or later

cPanel installations configured for automatic updates should have received the patch automatically if auto-update settings cover security releases. Manual installations or those with deferred update policies require explicit action.

  • Apply the emergency patch immediately β€” run upcp --force on affected cPanel/WHM servers to force an update to the patched release, or apply the patch via the cPanel Update Manager in WHM under Update Preferences.
  • Audit WHM and cPanel access logs for the past seven days β€” check /usr/local/cpanel/logs/access_log and /var/log/cpanel/login_log for authentication events that bypassed the credential step. Look for sessions established without preceding failed login attempts or with unusual user-agent strings.
  • Rotate all WHM root and reseller account credentials β€” if your cPanel/WHM instance was internet-accessible during the zero-day window (April 24–30), treat all credentials as potentially compromised. Rotate WHM root passwords, API tokens, and all reseller account passwords.
  • Review all hosted accounts for new administrative users, modified DNS zones, or injected content β€” post-compromise actions in WHM commonly include creating backdoor hosting accounts, modifying DNS for email hijacking, or injecting web shells into hosted sites.
  • Restrict WHM access by IP β€” if not already done, configure WHM Host Access Control to limit WHM login access to specific management IP addresses. WHM should never be reachable from the public internet without IP allowlisting.
  • Check for automated exploitation β€” review web application firewall logs and network flow data for scanning activity targeting cPanel/WHM ports (2087/TCP for WHM, 2083/TCP for cPanel) from unfamiliar source addresses.

Scope

cPanel/WHM is the dominant server control panel in shared and managed web hosting, running on Linux servers across hosting providers from large commercial platforms down to small managed service providers. Organisations that rely on third-party hosting providers should confirm their provider has patched; the risk extends beyond self-managed infrastructure to any customer of a cPanel-based hosting platform.

Share this article