cPanel/WHM authentication‑bypass being actively exploited in the wild
- cPanel pushed emergency fixes on April 28 after confirming CVE-2026-41940, an authentication-bypass in cPanel, WHM, DNSOnly, and WP Squared, was already being exploited. (support.cpanel.net) - The bug is as bad as it sounds — pre-auth, network-reachable, CVSS 9.8 — and patched builds start at 11.110.0.97 and 11.136.0.5. (nvd.nist.gov) - Hosting providers blocked ports 2083 and 2087 while patching, which tells you the real lesson: internet-exposed control planes need instant containment plans. (malwarebytes.com)
cPanel and WHM are the admin dashboards that run a huge slice of shared web hosting. If you can get into them, you do not just get a website — you can get the server, the mail, the (support.cpanel.net)8, pushed emergency patches, and within two days CISA had added it to the Known Exploited Vulnerabilities list because attackers were already using it in the wild. (support.cpanel.net) ### What actually broke? The login flow brok(malwarebytes.com)NVD’s description is blunt — unauthenticated remote attackers could gain unauthorized access to the control panel. In plain English, the front door check could be tricked into treating an attacker like a valid user. (support.cpanel.net) ### Why is that worse than a normal web bug? Because WHM is not just “an admin page.” WHM is the root-level control plane used by hosting (support.cpanel.net)dors are treating this as potential server takeover, not a narrow login issue. (malwarebytes.com) ### How did the bypass work? The public technical writeups describe a chain, not one single typo. The exploit abused session handling — including a CRLF injection into session data, (support.cpanel.net) do not need the exploit code to get the point: the attacker could manufacture trust before authentication had really happened. (picussecurity.com) ### Were attackers already using it? Yes — and that is the part that changes this from “patch soo(malwarebytes.com)ack to late February 2026, which means defenders were behind the attackers for roughly two months before the April 28 patch. CISA’s KEV addition on April 30 is basically the government version of “this is real.” (support.cpanel.net) ### What did hosting companies do first? Some of them did the simplest smart thing — they cut off acces(picussecurity.com)ing could catch up. Malwarebytes says Namecheap, HostGator, and KnownHost all restricted interfaces while they worked through updates. That move matters because it shows the right instinct for control-plane emergencies: contain first, restore later. (namecheap.com) ### Which versions are fixed? cPanel’s patched builds include 11.86.0.41, (support.cpanel.net)Panel also warned that pinned versions and disabled auto-update settings would not save themselves, and it told admins to restart `cpsrvd` after upgrading. (support.cpanel.net) ### What should defenders take from this? The lesson is bigger than cPanel. Internet-facing admin surfaces are special — they need prebuilt kill switches, firewall rules, and a way to pull (namecheap.com)083, 2087, 2095, and 2096 or stopping the relevant services. Basically, if your control plane is public, your containment plan has to be rehearsed before the advisory drops. (support.cpanel.net) ### Bottom line? This was not just another patch T(support.cpanel.net) log review — but the lasting takeaway is architectural: the fewer admin interfaces you expose to the internet, the fewer crisis weekends you end up having. (support.cpanel.net)
