Critical cPanel & WHM Authentication Flaw Exposes Servers to Unauthorized Access
cPanel disclosed a critical login authentication vulnerability in cPanel & WHM that can allow unauthorized access to affected servers, and released fixes for supported versions on April 28, 2026. Public technical details remain limited and no CVE had been assigned at the time of disclosure, but changelog references tied the issue to session loading and saving under CPANEL-52908. The flaw affects multiple supported release tiers, and cPanel urged administrators to upgrade immediately.
Patched builds were issued for versions 110, 118, 126, 132, 134, and 136, while unsupported or end-of-life deployments are also considered likely at risk. The exposure is significant because WHM is used for server administration and cPanel manages individual hosting accounts, meaning successful exploitation could compromise both administrative and tenant access paths. Security teams were advised to rapidly inventory internet-facing cPanel assets, identify impacted versions, and prioritize emergency remediation across hosted environments.
How this story unfolded
21 events from the earliest known activity through the most recent confirmed update.
KnownHost observes CVE-2026-41940 exploitation attempts
KnownHost reported seeing successful exploitation of the cPanel & WHM authentication bypass before a fix was available, with execution attempts observed as early as 2026-02-23. This indicates the flaw was being exploited as a zero-day well before cPanel's public disclosure and patch release.
cPanel releases fixes for critical login authentication flaw
cPanel disclosed a critical login authentication vulnerability affecting multiple supported versions of cPanel & WHM and released patched builds for versions 110, 118, 126, 132, 134, and 136. The issue was described as potentially allowing unauthorized access to affected servers, with changelogs tying it to CPANEL-52908.
runZero publishes guidance to identify exposed cPanel & WHM assets
runZero published analysis and asset-discovery guidance following cPanel's disclosure, noting that public technical details were still limited and no CVE had yet been assigned. The post also warned that unsupported or end-of-life versions were likely affected and provided a query to help organizations find impacted systems.
Namecheap blocks cPanel ports and begins deploying fixes
Following cPanel's disclosure, Namecheap said it temporarily blocked TCP ports 2083 and 2087 to limit access to cPanel and WHM while patches were rolled out. By 2026-04-29 02:42 UTC, it reported fixes had been applied to Reseller and Stellar Business servers, with remaining systems also being addressed.
cPanel WHM flaw assigned CVE-2026-41940 amid in-the-wild exploitation
By 2026-04-29, reporting on cPanel's critical WHM authentication bypass identified the issue as CVE-2026-41940 and said it had been exploited in the wild before patches were released. The flaw was described as affecting nearly all known cPanel and WHM versions, including some end-of-life releases, with risk of administrative server compromise.
Cyber Centre flags cPanel advisory affecting WP Squared
Canada's Cyber Centre published advisory AV26-404 noting that cPanel's April 28, 2026 security advisory addressed vulnerabilities in both cPanel software and WP Squared. It listed affected versions including WP Squared 11.136.1.7 and urged administrators to review cPanel guidance and apply updates.
watchTowr publishes CVE-2026-41940 technical analysis and PoC
watchTowr published a technical analysis and proof-of-concept exploit for CVE-2026-41940, the critical cPanel & WHM authentication bypass. The disclosure provided deeper detail on the CRLF injection flaw and raised concern that broader exploitation would follow.
cPanel releases IOC detection script for CVE-2026-41940
cPanel published a detection script to help administrators identify possible exploitation of CVE-2026-41940 by scanning /var/cpanel/sessions for suspicious token patterns and malformed session attributes. The guidance accompanied mitigation advice for organizations unable to patch immediately.
CISA adds CVE-2026-41940 to KEV catalog
CISA added CVE-2026-41940, affecting WebPros cPanel & WHM and WP2/WordPress Squared, to its Known Exploited Vulnerabilities catalog. The KEV entry set a remediation due date of 2026-05-03 and directed organizations to apply vendor mitigations, follow BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable.
Cato Networks publishes IPS signatures and IOCs for CVE-2026-41940
On 2026-04-30, Cato Networks said it observed exploitation attempts targeting CVE-2026-41940 and released IPS signatures for virtual patching along with network indicators linked to infrastructure geolocated to Ireland, Japan, and the United States. The disclosure added new defender-focused detection content beyond earlier vendor advisories and cPanel's own IOC script.
HostGator takes defensive action against CVE-2026-41940
By 2026-04-30, reporting indicated that hosting provider HostGator had joined other providers in responding to CVE-2026-41940 by restricting cPanel/WHM access and applying patches. This added HostGator as a newly disclosed affected responder to the in-the-wild exploitation of the flaw.
Censys reports mass compromise wave hitting exposed cPanel/WHM hosts
On 2026-05-01, Censys linked a sharp increase of more than 15,000 newly maliciously classified internet hosts to exploitation targeting cPanel/WHM systems after disclosure of CVE-2026-41940. The company said the activity included at least two post-compromise paths—Mirai-related malware and ransomware appending a ".sorry" extension—indicating large-scale automated exploitation was ongoing.
cPanelSniper exploit framework for CVE-2026-41940 is publicly released
On 2026-05-02, reporting said security researcher Mitsec published cPanelSniper, a weaponized GitHub exploit framework for CVE-2026-41940 that automates session forgery, bulk scanning, shell access, and post-exploitation actions. The release marked a new escalation beyond earlier technical analysis and PoC disclosures by making a more operational attack tool publicly available.
South-East Asian military entities reported targeted via CVE-2026-41940
Ctrl-Alt-Intel reported that South-East Asian military entities were targeted through exploitation of CVE-2026-41940 in cPanel. This appears to be a newly disclosed victim/campaign development beyond the previously documented mass exploitation and public exploit releases.
Researchers detail Indonesian defense portal breach tied to CVE-2026-41940
On 2026-05-02, researchers disclosed that a campaign exploiting CVE-2026-41940 also compromised an Indonesian defense-sector training portal using valid credentials, CAPTCHA bypass, SQL injection, and PostgreSQL COPY TO PROGRAM for command execution. The intrusion reportedly enabled internal pivoting and exfiltration of 110 files totaling about 4.37 GB, including sensitive Chinese railway documents and personal data.
Unknown actor targets MSP and hosting networks with CVE-2026-41940
Ctrl-Alt-Intel reported on 2026-05-02 that a previously unknown threat actor exploited CVE-2026-41940 to target government and military entities in Southeast Asia, especially in the Philippines and Laos, as well as MSPs and hosting providers in multiple countries. The activity reportedly used public PoC code and post-compromise tooling including AdapdixC2, OpenVPN, Ligolo, and systemd persistence, expanding the known campaign beyond earlier military-focused reporting.
Shadowserver reports 44,000 likely compromised cPanel/WHM IPs
By 2026-05-04, Shadowserver Foundation reported more than 572,000 exposed cPanel/WHM instances worldwide and said over 44,000 IPs were likely already compromised amid exploitation of CVE-2026-41940. The figures provided a new global estimate of exposure and impact beyond earlier reports of scanning and mass exploitation.
Rapid7 opens Metasploit exploit module PR for CVE-2026-41940
A Rapid7 Metasploit Framework pull request was opened to add an exploit module for the cPanel/WHM authentication bypass RCE tracked as CVE-2026-41940. The public PR indicated work was underway to integrate exploitation into Metasploit, marking a new stage in commoditization of the flaw.
XLab attributes CVE-2026-41940 backdoor campaign to Mr_Rot13
On 2026-05-11, Qianxin XLab linked ongoing exploitation of CVE-2026-41940 to a threat cluster it calls "Mr_Rot13" and described a Go-based malware family used after compromise. The report said the operators changed root passwords, implanted SSH keys, installed PHP webshells and credential-stealing JavaScript, exfiltrated data to attacker infrastructure and Telegram, and deployed a cross-platform remote-control trojan named "filemanager."
Macnica reports 194 exposed cPanel/WHM servers in Japan hit by Sorry ransomware
Macnica’s Security Research Center said 194 of 1,692 publicly exposed cPanel/WHM servers in Japan had been compromised with Sorry ransomware amid exploitation of CVE-2026-41940. The disclosure provided a new country-specific impact assessment beyond earlier general reporting on ransomware activity tied to the flaw.
Cyber Centre flags new cPanel and WP Squared security advisory
On 2026-05-13, Canada's Cyber Centre published advisory AV26-464 after cPanel issued new security advisories for cPanel & WHM and WP Squared. The notice said affected cPanel & WHM versions were those prior to multiple fixed releases, referenced WP Squared 11.136.1.12, and urged administrators to review cPanel guidance and apply updates.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
50 references tracked. Mallory keeps watching after this page renders.
cPanel security advisory (AV26-464) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceThreat actor Mr_Rot13 exploits critical cPanel flaw to deploy Filemanager backdoor | brief | SC Media
scworld.com
Open sourceAttackers exploit cPanel CVE-2026-41940 to deploy Filemanager Backdoor
securityaffairs.com
Open sourceFilemanager Fever: MrRot_13’s cPanel Exploitation Campaign Is Spreading Fast - SecPod Blog
secpod.com
Open sourceWarning: Multiple vulnerabilities in cPanel and WHM, leading to privilege escalation, Patch Immediately! | CCB Belgium
ccb.belgium.be
Open sourceStealthy hackers exploit cPanel flaw in active backdoor campaign (CVE-2026-41940) - Help Net Security
helpnetsecurity.com
Open sourcecPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor
thehackernews.com
Open source秘密活动6年的神秘黑客组织Mr_Rot13正在利用cPanel高危漏洞部署后门木马
blog.xlab.qianxin.com
Open sourceThreat Actor Mr_Rot13 Actively Exploits CVE-2026-41940 for Backdoor Deployment
blog.xlab.qianxin.com
Open sourceGetting Rid of Your VPN - Rob Allen - PSW #925 | SC Media
scworld.com
Open sourceAdd exploit for cPanel/WHM auth bypass RCE (CVE-2026-41940) by jburgess-r7 · Pull Request #21417 · rapid7/metasploit-framework · GitHub
github.com
Open sourceHackers target governments and MSPs via critical cPanel flaw CVE-2026-41940
securityaffairs.com
Open sourceCritical cPanel Vulnerability Weaponized to Target Government and MSP Networks
thehackernews.com
Open sourceCISA Warns of cPanel & WHM Vulnerability Exploited in Attacks
cybersecuritynews.com
Open sourceExploit Cyber-Frenzy Threatens Millions via Critical cPanel Vulnerability
darkreading.com
Open sourceHackers are mass-exploiting the cPanel bug to gain control of thousands of websites | TechCrunch
techcrunch.com
Open sourceCritical vulnerability in cPanel leads to widespread exploitation | Cybersecurity Dive
cybersecuritydive.com
Open sourceU.S. CISA adds a flaw in WebPros cPanel to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceThreat Brief: CVE-2026-41940: Critical cPanel & WHM Authentication Bypass Actively Exploited in the Wild | Cato Networks
catonetworks.com
Open sourceHackers Breach Government and Military Servers by Exploiting cPanel Vulnerability
cybersecuritynews.com
Open sourcecPanelSniper - PoC Exploit Disclosed for cPanel Vulnerability, 44,000 Servers Compromised
cybersecuritynews.com
Open sourceThe cPanel Situation Is Spiraling Fast
darkwebinformer.com
Open sourceSouth-East Asian Military Entities Targeted via cPanel (CVE-2026-41940) - Ctrl-Alt-Intel
ctrlaltintel.com
Open sourceThe cPanel situation is… - Censys
censys.com
Open sourceAttacks Surge Against Vulnerable cPanel and WHM Software
bankinfosecurity.com
Open sourceCritical cPanel exploited: 'Millions' of sites could be hit • The Register
go.theregister.com
Open sourceFederal agencies must patch cPanel bug by Sunday, CISA says | The Record from Recorded Future News
therecord.media
Open sourceCritical cPanel exploited: 'Millions' of sites could be hit
theregister.com
Open sourceCritical cPanel vulnerability actively exploited in the wild | brief | SC Media
scworld.com
Open sourcecPanel's authentication bypass bug is being exploited in the wild, CISA warns | CyberScoop
cyberscoop.com
Open sourceCVE-2026-41940: cPanel & WHM Auth Bypass Flaw
socprime.com
Open sourcecPanel 0-Day Authentication Bypass Vulnerability Actively Exploited in the Wild - PoC Released
cybersecuritynews.com
Open sourceCPanel CVE-2026-41940 Auth Bypass Flaw: Patch Now Fast!
thecyberexpress.com
Open sourceHigh Fidelity Check for the cPanel Authentication Bypass (CVE-2026-41940) : r/netsec
reddit.com
Open sourceCISA Adds One Known Exploited Vulnerability to Catalog | CISA
cisa.gov
Open sourcecPanel zero-day exploited for months before patch release (CVE-2026-41940) - Help Net Security
helpnetsecurity.com
Open sourceWarning: Critical authentication bypass in cPanel & WHM, Patch Immediately! | CCB Belgium
ccb.belgium.be
Open sourceSecurity: CVE-2026-41940 - cPanel & WHM / WP2 Security Update 04/28/2026 - cPanel
support.cpanel.net
Open sourceAdd Updated KEV Files for 2026-04-30 · cisagov/kev-data@bf15ab0 · GitHub
github.com
Open sourceHackers are actively exploiting a bug in cPanel, used by millions of websites | TechCrunch
techcrunch.com
Open sourceCritical cPanel and WHM bug exploited as a zero-day, PoC now available
bleepingcomputer.com
Open sourceCERT.at Authentication Bypass in cPanel & WHM
cert.at
Open sourceCritical cPanel, WHM flaw probs exploited as 0-day, pros say
theregister.com
Open sourceCritical cPanel, WHM flaw probs exploited as 0-day, pros say • The Register
go.theregister.com
Open sourceAL26-008 - Vulnerability affecting cPanel and WebHost Manager (WHM) - CVE-2026-41940 - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourcecPanel released a patch for a WebHost Manager (WHM) authentication bypass bug | Expel
expel.com
Open sourcecPanel security advisory (AV26-404) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceCVE-2026-41940 | AttackerKB
attackerkb.com
Open sourceAll supported cPanel versions hit by critical auth bug, now patched
securityaffairs.com
Open sourceCritical cPanel Authentication Vulnerability Identified - Update Your Server Immediately
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical RCE and Authentication Bypass Vulnerabilities in SolarWinds Web Help Desk
SolarWinds released security updates for *Web Help Desk (WHD)* to address multiple critical vulnerabilities that could allow **unauthenticated remote attackers** to bypass authentication and achieve **remote code execution (RCE)**. The patched issues include two critical authentication bypass flaws, **CVE-2025-40552** and **CVE-2025-40554** (reported by watchTowr researcher Piotr Bazydlo), and two critical RCE flaws tied to **untrusted data deserialization**, **CVE-2025-40553** (Bazydlo) and **CVE-2025-40551** (reported by Horizon3.ai researcher Jimi Sebree), enabling remote command execution without prior access. SolarWinds also fixed a high-severity **hardcoded credentials** issue, **CVE-2025-40537**, which could enable unauthorized access to administrative functions under certain conditions. The vendor advised administrators to upgrade to **Web Help Desk 2026.1** and patch quickly, noting WHD has a history of being targeted and previously had vulnerabilities flagged as actively exploited by CISA, reinforcing the likelihood of rapid attacker interest following disclosure and patch availability.
Mar 21, 2026
Critical Privilege Escalation Vulnerability in Plesk for Linux
A critical security vulnerability, tracked as CVE-2025-66430, has been identified in Plesk for Linux, specifically affecting the Password-Protected Directories feature. This flaw allows authenticated Plesk users to inject arbitrary data into Apache configuration files, leading to local privilege escalation and enabling attackers to execute commands with root-level privileges. The vulnerability poses a severe risk of complete server compromise, data theft, malware installation, and lateral movement within affected environments. Plesk versions 18.0.70 through 18.0.74, including Plesk Onyx installations, are impacted, and security updates have been released to address the issue. Administrators are strongly advised to apply the latest micro-updates (18.0.73.5 and 18.0.74.2) immediately to mitigate the risk. The vulnerability is the result of improper access control and insufficient input validation within the Password-Protected Directories feature. Exploitation requires access to a Plesk user account, but once achieved, attackers can escalate privileges to root, representing a significant threat to organizations relying on Plesk for server management. The issue is classified as critical, with a CVSS score of 9.1, and is remotely exploitable. Official Plesk documentation provides detailed guidance for patching affected systems, and prompt remediation is essential to prevent exploitation in the wild.
Mar 21, 2026
Multiple Critical Vulnerabilities Disclosed Across Popular Software Platforms
A series of critical vulnerabilities have been disclosed affecting a wide range of popular software platforms, including WordPress plugins, web frameworks, developer tools, and enterprise applications. Notable issues include unauthenticated remote code execution (RCE) flaws in Next.js (CVE-2025-66478), WordPress core (CVE-2025-6389), and the ACF Extended plugin (CVE-2025-13486), as well as privilege escalation and authentication bypass vulnerabilities in the WP Directory Kit plugin (CVE-2025-13390) and cPanel. Several of these vulnerabilities are reported to be under active exploitation, with proof-of-concept code available for some, increasing the urgency for immediate patching and mitigation. Other significant disclosures include a high-severity flaw in Vim for Windows (CVE-2025-66476) allowing arbitrary code execution, a critical SQL injection chain in Synology BeeStation, and a directory traversal vulnerability in cPanel that could lead to full server takeover. Additional advisories cover issues in lz4-java, Longwatch OT surveillance, Django, Elementor, Apache Struts, nopCommerce, and OpenVPN, with many rated as critical or high severity by CVSS. Organizations are strongly advised to review affected products and apply security updates promptly to mitigate the risk of exploitation.
Mar 21, 2026