Emerging Threats

cPanel Bug Exploited in Wild as Zero-Day Before Patch Release

Analyst 207||Source: BleepingComputer
Rows of computer servers and networking equipment in a shared hosting server room or data center.

"Successful exploits have been seen in the wild," KnownHost reported the day the flaw was disclosed — and the company’s CEO added the first execution attempts were observed as early as 2/23/2026. That blunt timeline frames a fast-moving vulnerability that has already forced vendors and hosting providers into emergency mitigation.

Scope and timeline: CVE-2026-41940, late February attempts, April 28 fix

The defect is tracked as CVE-2026-41940. KnownHost said exploitation attempts began in late February; CEO Daniel Pearson specified execution attempts as early as February 23, 2026. cPanel released an official fix on April 28, 2026, following pressure from hosting providers. Namecheap temporarily blocked inbound connections to cPanel and WHM ports 2083 and 2087 until patches were available.

Technical root cause: CRLF injection into login and session loading

Offensive security company watchTowr published technical details showing the vulnerability is a Carriage Return Line Feed (CRLF) injection in the login and session loading processes of cPanel & WHM. watchTowr reports the bug stems from improper session handling: user-controlled input from the Authorization header is written into server-side session files before authentication and without proper sanitization. Their analysis demonstrates how the bug can be triggered to log into the system without validating the provided password — a sequence that can be used to develop working exploits.

Scale and impact: 1.5 million exposed cPanel instances and host takeover risk

Rapid7 cited Shodan internet scans that show roughly 1.5 million cPanel instances exposed online. The company noted there is no public data on how many of those are vulnerable to CVE-2026-41940. Rapid7 warned that successful exploitation "grants an attacker control over the cPanel host system, its configurations and databases, and websites it manages."

Patches, mitigations, and detection tools provided

  • cPanel published fixed builds and strongly recommends restarting the cpsrvd service after installing fixes. Affected releases and fixed versions listed by the vendor are:
    • cPanel/WHM 11.110.0 → fixed in 11.110.0.97
    • cPanel/WHM 11.118.0 → fixed in 11.118.0.63
    • cPanel/WHM 11.126.0 → fixed in 11.126.0.54
    • cPanel/WHM 11.132.0 → fixed in 11.132.0.29
    • cPanel/WHM 11.134.0 → fixed in 11.134.0.20
    • cPanel/WHM 11.136.0 → fixed in 11.136.0.5
    • WP Squared 11.136.1 → fixed in 11.136.1.7
  • If immediate patching is not possible, the vendor recommends at minimum blocking external access to ports 2083, 2087, 2095, and 2096, or stopping the cpsrvd and cpdavd cPanel internal core services.
  • cPanel provided a detection script to check for compromise and advised that, if indicators are found, administrators should purge sessions, reset all credentials, audit logs, and investigate persistence mechanisms.
  • watchTowr also published a Detection Artifact Generator script to verify whether cPanel and WHM instances are vulnerable to CVE-2026-41940, and released a detailed analysis usable to develop an exploit.

What this means for technologists, hosting providers, and site owners

  • Technologists and security teams: run the vendor detection script and watchTowr’s artifact generator, install the matching fixed build for your release, then restart the cpsrvd service; if compromise indicators appear, follow the vendor’s recommended steps to purge sessions, reset credentials, and audit for persistence.
  • Hosting providers and managed-WordPress vendors: consider the temporary blocking measures Namecheap used (blocking 2083/2087) or stopping cpsrvd/cpdavd until patches are applied; note that cPanel’s advisory was updated to confirm WP Squared is also impacted and that only cPanel versions after 11.40 are affected.
  • Site owners and administrators using WP Squared: verify that your WP Squared instance is updated to the fixed version (11.136.1.7 where applicable) and follow provider guidance on service restarts and credential resets.

Conclusion

Public technical details and a proof-of-concept pathway have combined with observed exploitation attempts dating to February 23, 2026, to create immediate operational risk for exposed cPanel and WP Squared installations. With Roughly 1.5 million cPanel instances visible on the internet and no public count of which are vulnerable, the concrete response is clear in the vendor guidance: apply the listed fixes for your release, restart cpsrvd, run the provided detection tools, and apply the fallback network or service mitigations if patching cannot be completed immediately.

Original reporting: https://www.bleepingcomputer.com/news/security/critical-cpanel-and-whm-bug-exploited-as-a-zero-day-poc-now-available/

Emerging ThreatsPatch ManagementZero-DayVulnerability ExploitationWeb HostingCpanelCVE-2026-41940
Related Intelligence

Continue Reading

Cluttered tech workspace with laptop and papers, background blurred.

Microsoft Links North Korea to Mastra AI Supply Chain Compromise

Microsoft has uncovered a massive supply chain attack on the npm registry, where over 140 packages were compromised, and has linked the operation with high confidence to Sapphire Sleet, a notorious North Korean state actor known for targeting the financial sector. This large-scale attack highlights the growing threat of North Korean hacking groups.

Analyst 207
Cloud-based software integration hub with OAuth token authorization prompt on laptop screen.

Klue Breach Exposes Cybersecurity Firms to OAuth Token Abuse

A single compromised credential led to a massive security breach at Klue, allowing an unauthorized actor to exploit OAuth tokens and gain access to sensitive customer data on third-party platforms like Salesforce. This incident highlights the growing threat of OAuth token abuse and the need for robust cybersecurity measures.

Analyst 207
CSIS agent surrounded by technology equipment in a neutral setting.

Canada's Spy Agency Neutralizes Foreign Botnets with Landmark Warrant

In a groundbreaking move, Canada's spy agency, CSIS, has successfully neutralized two foreign-run botnets operating on Canadian soil, thanks to a landmark warrant that allowed them to access and shut down infected devices. This pioneering threat-reduction tactic marks a major win in the fight against botnet threats.

Analyst 207
Cautious hand approaches laptop with blurred screen in neutral workspace.

Gizmodo Readers Targeted by ClickFix Malware After Account Compromise

If your Gizmodo account was compromised, be aware that you may have been targeted by the ClickFix malware, which showed up as suspicious prompts after the breach. Stay vigilant and take immediate action to protect your online security!

Analyst 207