Block ports 2083–2096 now

cPanel servers are the control plane for a huge chunk of the web. When that control plane breaks, the risk is not “one login bug” — it is full takeover of the box that runs sites, mail, databases, and reseller accounts. That is the shape of CVE-2026-41940. cPanel pushed fixes on April 28, 2026, and by April 30 the bug had already landed in CISA’s known-exploited catalog, which is usually the moment a security issue stops being theoretical and starts being an incident-response problem. (support.cpanel.net) ### What is this bug, exactly? It is an authentication bypass in cPanel & WHM’s login flow. The short version is that the service can be tricked into writing attacker-controlled data into a session file before login fully completes. If that file gets poisoned with valu(support.cpanel.net)e access to the control panel, and Rapid7 notes the CVSS 3.1 score is 9.8. (nvd.nist.gov) ### Why are ports 2083 to 2096 the focus? Because those are the doors attackers actually knock on. cPanel and WHM commonly sit on 2083 and 2087 for HTTPS, with related services also exposed on 2082, 2086, 2095, and 2096. If those ports are reachable from the public internet, the vulnerable login flow is reachable too. That is why the emergency advice (nvd.nist.gov)ess to the panel first and sort out the upgrade second. (rapid7.com) ### Which versions are fixed? cPanel’s advisory now lists patched builds across supported branches, including 11.86.0.41+, 11.110.0.97+, 11.118.0.63+, 11.124.0.35+, 11.126.0.54+, 11.130.0.19+, 11.132.0.29+, 11.134.0.20+, and 11.136.0.5+. There is also a direct update for older CentOS 6 or CloudLinux 6 systems on 110(rapid7.com)r is actually on a fixed build and then hard-restarting `cpsrvd` after the update. (support.cpanel.net) ### Why is everyone acting like this is already burning? Because it is. CISA added CVE-2026-41940 to KEV on May 1, 2026, meaning there is evidence of real-world exploitation. Rapid7 also flagged active exploitation and pointed to public technical analysis and proof-of-(support.cpanel.net)on the open internet. (cisa.gov) ### Why is WHM compromise worse than a normal web bug? Because WHM is not just another app. It is the admin console for the whole host. If an attacker lands there, they can pivot into account control, site files, mail settings, databases, and often root-level operations. On shared hosting, that can tu(cisa.gov)uery could surface roughly 1.5 million exposed cPanel instances that may be vulnerable. (rapid7.com) ### What should operators do right now? Patch first. If patching is delayed even briefly, block inbound access to the panel ports at the firewall and only allow trusted admin IPs. Then verify the running version, restart `cpsrvd`, and check for indicators of compromise in session files using cPanel’s detection guida(rapid7.com)ul reminder not to treat one noisy hit as proof by itself. (support.cpanel.net) ### What is the bottom line? This is one of those rare bugs where the defensive advice is simple because the blast radius is huge. If your cPanel or WHM interface is internet-exposed and not on a fixed version, assume the window for safe delay is over. Block the ports, patch, restart the service, and review for compromise right away. (support.cpanel.net)