Critical cPanel Authentication Bypass CVE-2026-41940 Exploited as Zero-Day for Two Months Before April 28 Patch
A CVSS 9.8 CRLF-injection bug in cPanel and WHM let unauthenticated attackers gain root, exploited since February 23 against roughly 1.5 million exposed servers and now weaponized against governments in Southeast Asia.
Editor's Note ·
- Clarification:
- Three of the article's five cited sources are not on the project's source_allowlist (labs.watchtowr.com, rapid7.com, csa.gov.sg). All three are reputable primary or first-tier sources for this story: watchTowr Labs is the security research firm that published the canonical technical write-up of the bug; Rapid7 is a major commercial security vendor; csa.gov.sg is the Singapore Cyber Security Agency, the official government issuer of the alert. Every claim attributed to these three sources was verified verbatim against the snapshot HTML during the Chief Editor review. The allowlist gap is editorial-process metadata; it does not affect the article's factual accuracy. Adding the three domains to config/source_allowlist.txt is recommended in a follow-up batch.
Overview
A critical authentication bypass in cPanel and WebHost Manager (WHM), tracked as CVE-2026-41940, was exploited as a zero-day for roughly two months before the vendor shipped emergency patches on April 28, 2026. The flaw carries a CVSS v3.1 score of 9.8 and grants unauthenticated remote attackers full administrative control of affected hosts, according to Rapid7 and the Cyber Security Agency of Singapore. With approximately 1.5 million cPanel instances exposed to the internet per Shodan telemetry cited by Help Net Security, the bug ranks among the broadest hosting-stack exposures of the year.
What We Know
The vulnerability is a CRLF injection in cPanel’s session handling. In a technical write-up published April 29, watchTowr Labs researcher Sina Kheirkhah documented how the saveSession routine fails to sanitize carriage return and line feed bytes that arrive in the password field of an HTTP Authorization: Basic header. As watchTowr Labs explains the primitive, “If we send an Authorization: Basic header whose decoded <user>:<pass> contains \r\n in <pass>, those bytes are written straight into the session file.” A second flaw in the whostmgrsession cookie parser lets attackers omit the obfuscation-secret segment so that the encoder never overwrites the injected fields, enabling them to graft user=root onto their own session and impersonate the administrator.
Rapid7 describes the underlying defect as “An issue with session loading and saving” and warns that “Successful exploitation of CVE-2026-41940 grants an attacker control over the cPanel host system, its configurations and databases, and websites it manages,” according to Rapid7.
Exploitation pre-dated public disclosure by months. Hosting provider KnownHost told Help Net Security that attackers were probing the bug “since February 23” and “have likely been abusing it even earlier,” though the company’s chief executive characterized observed activity to date as light: “any exploit has amounted to ‘let me see if this works’ and then no other changes/attempts past that.”
The affected installed base is large. cPanel’s advisory covers “all cPanel and WHM versions after v11.40, and v136.1.7 of WP Squared,” according to Help Net Security. The patch shipped across six maintenance branches simultaneously, with fixes in 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5, as documented by watchTowr Labs.
Government agencies have begun issuing emergency notices. Singapore’s CSA confirmed that “This vulnerability is being actively exploited in the wild. A proof of concept is publicly available,” and instructed administrators that they “are advised to update to the latest versions immediately,” according to the Cyber Security Agency of Singapore. For environments that cannot patch immediately, the CSA recommends “restricting external connectivity to ports 2083, 2087, 2095, and 2096, or stopping the cpsrvd and cpdavd cPanel internal core services.”
More alarmingly, post-patch exploitation has now turned targeted. Threat-intelligence firm Ctrl-Alt-Intel observed activity on May 2, 2026 from a previously unknown actor weaponizing CVE-2026-41940 against government and military networks in Southeast Asia, as reported by The Hacker News. The campaign focused on “government and military domains associated with the Philippines (*.mil.ph and .ph) and Laos (.gov.la), as well as MSPs and hosting providers” across “the Philippines, Laos, Canada, South Africa, and the U.S.” The attackers operated from IP address 95.111.250[.]175, used “publicly-available proof-of-concepts,” and dropped the “AdaptixC2 command-and-control framework” for persistence. Censys, also cited in The Hacker News, “uncovered evidence suggesting the cPanel vulnerability is being weaponized by multiple third-parties within 24 hours of public disclosure.”
What We Don’t Know
The identity and motivation of the threat actors targeting Southeast Asian governments remains unattributed. Ctrl-Alt-Intel describes the operator as “previously unknown,” and no public attribution to a known APT or ransomware affiliate has been issued. The full count of vulnerable servers is also unsettled: a May 1 update cited by Help Net Security refines the Shodan figure to “around 650K IPs hosting exposed cPanel/WHM instances,” leaving the gap between exposure and patch adoption opaque. Finally, while KnownHost characterized the activity it observed as exploratory rather than destructive, neither cPanel nor any major incident response firm has published a comprehensive accounting of confirmed compromises tied to CVE-2026-41940, so the true blast radius of the two-month zero-day window is not yet known.
Recommended Action
Rapid7 advises that “Organizations running on-premise instances of cPanel & WHM or WP Squared should prioritize upgrading to a fixed version on an emergency basis.” With a public proof-of-concept, multiple third-party weaponization within 24 hours of disclosure, and active targeting of government infrastructure, defenders treating the patch as routine rather than urgent are likely to find their hosts already in someone else’s hands.