cPanel zero-day exploited for months before patch release (CVE-2026-41940)
A critical authentication bypass vulnerability in cPanel and WHM (CVE-2026-41940) has been exploited in the wild since at least February 23, with a patch released only on April 28.
A critical authentication bypass vulnerability (CVE-2026-41940) in cPanel, a widely used web hosting control panel, has been actively exploited in the wild since at least February 23, 2026. The flaw, which affects all cPanel and WHM versions after v11.40, allows unauthenticated remote attackers to gain root-level access to affected servers. WebPros International, the developer of cPanel, released a security advisory and patches on April 28, but the delay has left approximately 1.5 million internet-exposed cPanel instances potentially vulnerable.
The vulnerability stems from missing authentication for a critical function in the cPanel service daemon (cpsrvd). According to Rapid7 researcher Ryan Emmons, before authentication occurs, cpsrvd writes a new session file to disk. An attacker can manipulate the whostmgrsession cookie by omitting an expected segment, bypassing encryption. By injecting raw \r\n characters via a malicious Basic Authorization header, the attacker can insert arbitrary properties, such as user=root, into the session file. After triggering a session reload, the attacker gains administrator-level access.
Exploitation has been observed since at least February 23, with attackers likely abusing the flaw even earlier. The disclosure timeline remains murky: according to a webhosting.today source, the vulnerability was reported to cPanel approximately two weeks before the April 28 advisory, but cPanel's initial response was that nothing was wrong. It is unclear whether the reporter knew about active exploitation. WebPros did not communicate the existence of the vulnerability to hosting providers sooner or provide mitigation steps while working on fixes.
The impact is severe: successful exploitation grants attackers control over the cPanel host system, its configurations, databases, and all websites it manages. Shodan shows approximately 1.5 million cPanel instances exposed to the internet, though not all may be vulnerable. The Shadowserver Foundation reports seeing 44,000 unique IPs scanning, running exploits, or engaging in brute force attacks against honeypot sensors, and around 650,000 IPs hosting exposed cPanel/WHM instances. Exploratory probing has evolved into multi-actor exploitation as of early May.
WebPros has released patches and provided a script to search for indicators of compromise. Mitigations include blocking inbound traffic on ports 2083, 2087, 2095, and 2096 at the firewall and stopping the cpsrvd and cpdavd services. Hosting providers like KnownHost immediately blocked WHM/cPanel login ports and began applying updates. CISA has added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog, mandating federal agencies to patch by a specified deadline.
This incident highlights the dangers of delayed vulnerability disclosure and the importance of proactive communication between vendors and customers. The extended exploitation window—over two months before a patch—underscores the need for faster response times and better threat intelligence sharing. Organizations using cPanel should prioritize patching and review logs for signs of compromise.