cPanel auth bypass hits 44,000 servers

Web hosting control panels are supposed to be the lock on the front door. This bug turned out to be a way around the lock entirely. CVE-2026-41940 let attackers reach cPanel and WHM without valid credentials, and once they were in, they could control the server, its settings, and the sites sitting behind it. cPanel shipped emergency fixes on April 28, 2026, but the ugly part is that exploitation appears to have started back on February 23 and then accelerated fast after disclosure. ### What is cPanel, exactly? cPanel and WHM are the dashboards a huge chunk of the web uses to manage Linux hosting — websites, email, databases, DNS, backups, the whole stack. That is why this is bigger than “one server got popped.” A single exposed cPanel box can sit in front of dozens or hundreds of customer sites, especially in shared hosting. Censys also notes that exposed cPanel infrastructure is concentrated in a relatively small set of major hosting operators, which means patch speed at a few big companies shapes the internet-wide outcome. (support.cpanel.net) ### What was the bug? The flaw sat in the login flow. Very roughly, cPanel wrote session data to disk before authentication fully finished, and user-controlled data from the Authorization header was not sanitized properly. Researchers showed that special CRLF characters could be injected so attacker-chosen values landed in the session file, and then the service would reload that file and treat the attacker as authenticated. Basically — the software let hostile input rewrite the notes it later trusted. (censys.com) ### Why is that such a bad class of bug? Because this was pre-auth. No stolen password needed. No phishing. No user mistake. If the target exposed cPanel or WHM to the internet and had a vulnerable build, an attacker could jump straight to administrative access. Rapid7’s estimate, echoed in coverage of the incident, put the internet-exposed cPanel population at roughly 1.5 million instances, so even a modest hit rate gives attackers a very large hunting ground. (bleepingcomputer.com) ### How widespread did exploitation get? The strongest public number came from Shadowserver. It said about 44,000 unique IPs were tied to the cPanel spike it saw scanning, running exploits, or brute-forcing against its honeypot sensors. That does not mean 44,000 boxes were forensically confirmed as fully ransomed, but it does tell you this was not a niche campaign. SecurityWeek said most affected systems were in the US, with France and the Netherlands next. (securityweek.com) ### What did attackers do after getting in? At least two playbooks showed up quickly. One path dropped Mirai variants. The other deployed a Linux ransomware strain called Sorry that appended “.sorry” to encrypted files and left a README.md ransom note with a Tox contact. Censys saw thousands of cPanel hosts exposing encrypted files in open directories, which is a pretty stark sign that automation kicked in fast. (securityweek.com) ### Which versions were fixed? cPanel says all versions after 11.40 were affected. The patched builds include 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5, plus WP Squared 136.1.7. cPanel also told admins to force an update and then hard-restart the `cpsrvd` service so the fix actually takes hold. (censys.com) ### Why did this snowball so fast? Two reasons. First, attackers were likely already exploiting it before the patch landed. Second, technical writeups and proof-of-concept material appeared almost immediately after disclosure, which lowered the bar for copycat crews. Censys said the vulnerability looked weaponized by multiple third parties within 24 hours, and some hosts were blocked off temporarily by providers like Namecheap during the patch window just to buy time. (support.cpanel.net) ### What’s the bottom line? This was a control-plane failure, not just another website bug. If you run cPanel or WHM, patching was only step one — you also need to check for compromise, because the same bug that let attackers in also gave them room to drop malware, encrypt data, and pivot across every site that server managed. (support.cpanel.net) (censys.com)