Active in-the-wild exploit for cPanel CVE-2026-41940 bypasses WHM authentication

cPanel is the control panel behind a huge chunk of shared hosting. When it breaks, one bug can put thousands of customer sites behind a(support.cpanel.net)attacker get into the management plane without valid credentials. cPanel published fixes on April 28, 2026, and CISA added the flaw to (nvd.nist.gov)ce of real-world abuse. (support.cpanel.net) writing attacker-controlled data into server-side session files before authentication fully finished, and that opened the door to bypassing the normal password check. NVD describes it as an authentication bypass in the login flow for versions after 11.40, and cPanel’s own advisory says the issue affects all versions after 11.40, including DNSOnly, until patched. (nvd.nist.gov) ### Why is WHM the scary part? WHM is the top-level admin console for a hosting server(support.cpanel.net)es. Rapid7’s summary is blunt: successful exploitation can hand over the cPanel host system and the websites it manages. On shared hosting, that turns one foothold into a multi-tenant problem fast. (rapid7.com) ### Is this really being exploited now? Yes. That is the part that moved this from bad bug to emergency. CISA added CVE-2026-41940 to KEV on April 30, which means there is e(nvd.nist.gov)dy saying the same thing — KnownHost said it had seen successful exploits before a fix was available, and later said it had seen execution attempts as early as February 23, 2026. (cisa.gov) ### How does the exploit work? The public technical writeups point to a CRLF injection trick in the login and session-loading path. Turns (rapid7.com)then get the service to reload that state as if it were legitimate. watchTowr has already published a detection artifact generator and a deep technical analysis, which means defenders can study it — but attackers can too. (github.com) ### Who is exposed? Potentially a lot of internet-facing hosting infrastructure. Rapid7 said Shodan sh(cisa.gov)ystems. Still, the scale matters because cPanel is common at hosting providers, resellers, and managed WordPress shops. One missed patch can expose not just a server, but every customer living on it. (bleepingcomputer.com) ### What versions are fixed? cPanel pushed patched builds for supported branches, including 11.110.0.97, 11.118.0.63, (github.com)s fixed in 136.1.7. cPanel also told admins to force the update, verify the installed build, and restart `cpsrvd` after patching. (support.cpanel.net) ### What if you cannot patch right away? The vendor’s fallback is pretty severe — block inbound traffic to ports 2083, 2087, 2095, and 2096(bleepingcomputer.com)s, and other providers reportedly did the same to buy time. That is disruptive, but less disruptive than handing over the control plane. (support.cpanel.net) ### What should defenders do next? Patch first. Then ve(support.cpanel.net)active exploitation predates public disclosure. The tricky part is that cPanel even had to update its detection guidance after false positives showed up, so defenders should treat quick one-shot scans as a starting point, not a clean bill of health. (support.cpanel.net) The bottom line is s(support.cpanel.net)If you run cPanel or WHM and have not patched since April 28, 2026, you should assume this is urgent. (support.cpanel.net)