Critical cPanel & WHM Authentication Flaw Exposes Servers to Unauthorized Access
cPanel disclosed a critical login authentication vulnerability in cPanel & WHM that can allow unauthorized access to affected servers, and released fixes for supported versions on April 28, 2026. Public technical details remain limited and no CVE had been assigned at the time of disclosure, but changelog references tied the issue to session loading and saving under CPANEL-52908. The flaw affects multiple supported release tiers, and cPanel urged administrators to upgrade immediately.
Patched builds were issued for versions 110, 118, 126, 132, 134, and 136, while unsupported or end-of-life deployments are also considered likely at risk. The exposure is significant because WHM is used for server administration and cPanel manages individual hosting accounts, meaning successful exploitation could compromise both administrative and tenant access paths. Security teams were advised to rapidly inventory internet-facing cPanel assets, identify impacted versions, and prioritize emergency remediation across hosted environments.
Timeline
May 4, 2026
Shadowserver reports 44,000 likely compromised cPanel/WHM IPs
By 2026-05-04, Shadowserver Foundation reported more than 572,000 exposed cPanel/WHM instances worldwide and said over 44,000 IPs were likely already compromised amid exploitation of CVE-2026-41940. The figures provided a new global estimate of exposure and impact beyond earlier reports of scanning and mass exploitation.
May 2, 2026
Unknown actor targets MSP and hosting networks with CVE-2026-41940
Ctrl-Alt-Intel reported on 2026-05-02 that a previously unknown threat actor exploited CVE-2026-41940 to target government and military entities in Southeast Asia, especially in the Philippines and Laos, as well as MSPs and hosting providers in multiple countries. The activity reportedly used public PoC code and post-compromise tooling including AdapdixC2, OpenVPN, Ligolo, and systemd persistence, expanding the known campaign beyond earlier military-focused reporting.
May 2, 2026
Researchers detail Indonesian defense portal breach tied to CVE-2026-41940
On 2026-05-02, researchers disclosed that a campaign exploiting CVE-2026-41940 also compromised an Indonesian defense-sector training portal using valid credentials, CAPTCHA bypass, SQL injection, and PostgreSQL COPY TO PROGRAM for command execution. The intrusion reportedly enabled internal pivoting and exfiltration of 110 files totaling about 4.37 GB, including sensitive Chinese railway documents and personal data.
May 2, 2026
South-East Asian military entities reported targeted via CVE-2026-41940
Ctrl-Alt-Intel reported that South-East Asian military entities were targeted through exploitation of CVE-2026-41940 in cPanel. This appears to be a newly disclosed victim/campaign development beyond the previously documented mass exploitation and public exploit releases.
May 2, 2026
cPanelSniper exploit framework for CVE-2026-41940 is publicly released
On 2026-05-02, reporting said security researcher Mitsec published cPanelSniper, a weaponized GitHub exploit framework for CVE-2026-41940 that automates session forgery, bulk scanning, shell access, and post-exploitation actions. The release marked a new escalation beyond earlier technical analysis and PoC disclosures by making a more operational attack tool publicly available.
May 1, 2026
Censys reports mass compromise wave hitting exposed cPanel/WHM hosts
On 2026-05-01, Censys linked a sharp increase of more than 15,000 newly maliciously classified internet hosts to exploitation targeting cPanel/WHM systems after disclosure of CVE-2026-41940. The company said the activity included at least two post-compromise paths—Mirai-related malware and ransomware appending a ".sorry" extension—indicating large-scale automated exploitation was ongoing.
Apr 30, 2026
HostGator takes defensive action against CVE-2026-41940
By 2026-04-30, reporting indicated that hosting provider HostGator had joined other providers in responding to CVE-2026-41940 by restricting cPanel/WHM access and applying patches. This added HostGator as a newly disclosed affected responder to the in-the-wild exploitation of the flaw.
Apr 30, 2026
Cato Networks publishes IPS signatures and IOCs for CVE-2026-41940
On 2026-04-30, Cato Networks said it observed exploitation attempts targeting CVE-2026-41940 and released IPS signatures for virtual patching along with network indicators linked to infrastructure geolocated to Ireland, Japan, and the United States. The disclosure added new defender-focused detection content beyond earlier vendor advisories and cPanel's own IOC script.
Apr 30, 2026
CISA adds CVE-2026-41940 to KEV catalog
CISA added CVE-2026-41940, affecting WebPros cPanel & WHM and WP2/WordPress Squared, to its Known Exploited Vulnerabilities catalog. The KEV entry set a remediation due date of 2026-05-03 and directed organizations to apply vendor mitigations, follow BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable.
Apr 29, 2026
cPanel releases IOC detection script for CVE-2026-41940
cPanel published a detection script to help administrators identify possible exploitation of CVE-2026-41940 by scanning /var/cpanel/sessions for suspicious token patterns and malformed session attributes. The guidance accompanied mitigation advice for organizations unable to patch immediately.
Apr 29, 2026
watchTowr publishes CVE-2026-41940 technical analysis and PoC
watchTowr published a technical analysis and proof-of-concept exploit for CVE-2026-41940, the critical cPanel & WHM authentication bypass. The disclosure provided deeper detail on the CRLF injection flaw and raised concern that broader exploitation would follow.
Apr 29, 2026
Cyber Centre flags cPanel advisory affecting WP Squared
Canada's Cyber Centre published advisory AV26-404 noting that cPanel's April 28, 2026 security advisory addressed vulnerabilities in both cPanel software and WP Squared. It listed affected versions including WP Squared 11.136.1.7 and urged administrators to review cPanel guidance and apply updates.
Apr 29, 2026
cPanel WHM flaw assigned CVE-2026-41940 amid in-the-wild exploitation
By 2026-04-29, reporting on cPanel's critical WHM authentication bypass identified the issue as CVE-2026-41940 and said it had been exploited in the wild before patches were released. The flaw was described as affecting nearly all known cPanel and WHM versions, including some end-of-life releases, with risk of administrative server compromise.
Apr 29, 2026
Namecheap blocks cPanel ports and begins deploying fixes
Following cPanel's disclosure, Namecheap said it temporarily blocked TCP ports 2083 and 2087 to limit access to cPanel and WHM while patches were rolled out. By 2026-04-29 02:42 UTC, it reported fixes had been applied to Reseller and Stellar Business servers, with remaining systems also being addressed.
Apr 28, 2026
runZero publishes guidance to identify exposed cPanel & WHM assets
runZero published analysis and asset-discovery guidance following cPanel's disclosure, noting that public technical details were still limited and no CVE had yet been assigned. The post also warned that unsupported or end-of-life versions were likely affected and provided a query to help organizations find impacted systems.
Apr 28, 2026
cPanel releases fixes for critical login authentication flaw
cPanel disclosed a critical login authentication vulnerability affecting multiple supported versions of cPanel & WHM and released patched builds for versions 110, 118, 126, 132, 134, and 136. The issue was described as potentially allowing unauthorized access to affected servers, with changelogs tying it to CPANEL-52908.
Feb 23, 2026
KnownHost observes CVE-2026-41940 exploitation attempts
KnownHost reported seeing successful exploitation of the cPanel & WHM authentication bypass before a fix was available, with execution attempts observed as early as 2026-02-23. This indicates the flaw was being exploited as a zero-day well before cPanel's public disclosure and patch release.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
5 more from sources like cybersecurity dive, security affairs, catonetworks and cyber security news
Related Stories
Critical RCE and Authentication Bypass Vulnerabilities in SolarWinds Web Help Desk
SolarWinds released security updates for *Web Help Desk (WHD)* to address multiple critical vulnerabilities that could allow **unauthenticated remote attackers** to bypass authentication and achieve **remote code execution (RCE)**. The patched issues include two critical authentication bypass flaws, **CVE-2025-40552** and **CVE-2025-40554** (reported by watchTowr researcher Piotr Bazydlo), and two critical RCE flaws tied to **untrusted data deserialization**, **CVE-2025-40553** (Bazydlo) and **CVE-2025-40551** (reported by Horizon3.ai researcher Jimi Sebree), enabling remote command execution without prior access. SolarWinds also fixed a high-severity **hardcoded credentials** issue, **CVE-2025-40537**, which could enable unauthorized access to administrative functions under certain conditions. The vendor advised administrators to upgrade to **Web Help Desk 2026.1** and patch quickly, noting WHD has a history of being targeted and previously had vulnerabilities flagged as actively exploited by CISA, reinforcing the likelihood of rapid attacker interest following disclosure and patch availability.
1 months ago
Critical Privilege Escalation Vulnerability in Plesk for Linux
A critical security vulnerability, tracked as CVE-2025-66430, has been identified in Plesk for Linux, specifically affecting the Password-Protected Directories feature. This flaw allows authenticated Plesk users to inject arbitrary data into Apache configuration files, leading to local privilege escalation and enabling attackers to execute commands with root-level privileges. The vulnerability poses a severe risk of complete server compromise, data theft, malware installation, and lateral movement within affected environments. Plesk versions 18.0.70 through 18.0.74, including Plesk Onyx installations, are impacted, and security updates have been released to address the issue. Administrators are strongly advised to apply the latest micro-updates (18.0.73.5 and 18.0.74.2) immediately to mitigate the risk. The vulnerability is the result of improper access control and insufficient input validation within the Password-Protected Directories feature. Exploitation requires access to a Plesk user account, but once achieved, attackers can escalate privileges to root, representing a significant threat to organizations relying on Plesk for server management. The issue is classified as critical, with a CVSS score of 9.1, and is remotely exploitable. Official Plesk documentation provides detailed guidance for patching affected systems, and prompt remediation is essential to prevent exploitation in the wild.
1 months ago
Multiple Critical Vulnerabilities Disclosed Across Popular Software Platforms
A series of critical vulnerabilities have been disclosed affecting a wide range of popular software platforms, including WordPress plugins, web frameworks, developer tools, and enterprise applications. Notable issues include unauthenticated remote code execution (RCE) flaws in Next.js (CVE-2025-66478), WordPress core (CVE-2025-6389), and the ACF Extended plugin (CVE-2025-13486), as well as privilege escalation and authentication bypass vulnerabilities in the WP Directory Kit plugin (CVE-2025-13390) and cPanel. Several of these vulnerabilities are reported to be under active exploitation, with proof-of-concept code available for some, increasing the urgency for immediate patching and mitigation. Other significant disclosures include a high-severity flaw in Vim for Windows (CVE-2025-66476) allowing arbitrary code execution, a critical SQL injection chain in Synology BeeStation, and a directory traversal vulnerability in cPanel that could lead to full server takeover. Additional advisories cover issues in lz4-java, Longwatch OT surveillance, Django, Elementor, Apache Struts, nopCommerce, and OpenVPN, with many rated as critical or high severity by CVSS. Organizations are strongly advised to review affected products and apply security updates promptly to mitigate the risk of exploitation.
1 months ago