Bypasses VPNs via split‑tunneling

Remote access is the domain here — VPNs, admin panels, and the little trust assumptions companies make so people can work from anywhere. The stakes are simple. If traffic leaves the laptop outside the corporate tunnel, or if an exposed control panel lets someone in without real authentication, attackers get a path around the defenses teams think are watching. That is why this week’s cPanel emergency and the renewed focus on split-tunneling belong in the same conversation. One is a front-door failure. The other is a side-door design choice. Together, they show how easy it is to lose visibility at the edge. ### What actually broke in cPanel? cPanel disclosed CVE-2026-41940 on April 28, 2026 as a critical authentication issue affecting all supported cPanel and WHM versions, tied to multiple authentication paths. By May 1, cPanel had pushed patched versions across supported release tiers and published updated detection guidance because early checks could produce false positives. The practical problem was ugly — unauthorized logins to internet-facing admin panels. ### Was it really being exploited already? Yes — and that is the part that changes this from “patch soon” to “assume exposure.” Multiple security writeups say attackers had been exploiting the flaw as a zero-day since late February 2026, before public disclosure and before broad patching. That means some organizations were already behind before they even knew there was a race. ### Why does an auth bypass matter so much? Because cPanel and WHM are not just websites. They are control planes for hosting accounts, domains, mail, databases, and server settings. If an attacker can step through authentication on an exposed panel, the next moves can include account takeover, persistence, credential theft, and server-level pivot compromise is short. That last part is an inference from what these panels manage, but it is the obvious operational risk. ### Where does split-tunneling fit in? Split-tunneling is the VPN feature that sends some traffic through the corporate tunnel and lets other traffic go straight to the internet. It exists for performance and practicality. But the catch is that it also creates a blind lane. Malware, command-and-control traffic, or exfiltration can use the non-VPN exit that nobody monitors closely. The convenience is real. So is the hole. ### Why do defenders worry about “local bridges”? Because a compromised device can become the bridge. A laptop on a home or public network can talk outward directly while still maintaining trusted access inward over VPN. That turns one endpoint into a connector between two security zones that were supposed to stay separate. CISA’s remote-access guidance treats that kind of concurrent connectivity as something that needs explicit policy and enforcement, not a harmless default. ### So what should teams do first? Patch cPanel immediately and use the vendor’s updated detection guidance. Reduce exposure of admin panels to the public internet wherever possible. On the remote-access side, disable split-tunneling for high-risk users and sensitive apps, or move to per-application access models that do not trust the whole device tunnel by default. Also watch for exfiltration over alternative channels, because attackers do not care which route leaves the fewest logs. ### What is the bottom line? The lesson is not just “patch faster.” It is “stop assuming the monitored path is the only path.” This week’s cPanel bug showed how dangerous an exposed admin edge can be. Split-tunneling shows how easily traffic can slip around the edge you are watching.