Rapid7’s internet scans identified roughly 1.5 million cPanel instances exposed online — and one of them can now be opened without a password. The flaw, tracked as CVE-2026-41940, has been assigned a 9.8 CVSS score and is confirmed to be exploited in the wild.
How CVE-2026-41940 lets attackers bypass authentication
Technical analysis published by cybersecurity firm watchTowr attributes the vulnerability to improper handling of user input during the login process. cPanel writes request data into a server-side session file before verifying the user’s identity. An attacker can embed hidden line breaks into the password field — characters cPanel fails to strip out — and thereby inject arbitrary data into the session file. A follow-up, deliberately malformed request promotes that injected data into the session’s active cache, where cPanel reads it as legitimate. Once the session is treated as already authenticated, the system skips password verification entirely, granting access without checking the user’s credentials.
Rapid7 scans: roughly 1.5 million exposed cPanel instances
Internet-wide scans conducted by Rapid7 using the Shodan search engine identified approximately 1.5 million cPanel instances exposed online, though the precise number of systems vulnerable to CVE-2026-41940 remains unknown. The presence of that many exposed instances underlines broad potential impact, and hosting providers have reported real-world exploitation prior to a patch being available.
Detection artifacts from cPanel and watchTowr
cPanel published a detection script intended to scan session files for indicators of compromise. The script looks for sessions containing injected authentication timestamps, pre-authentication sessions with authenticated attributes, and password fields containing embedded newlines. watchTowr separately released a “Detection Artifact Generator” administrators can use to verify whether their instances remain vulnerable.
cPanel patch, Namecheap mitigation, and KnownHost sightings
cPanel released patched releases across seven version branches — from 11.110.0 through 11.136.0 — and for WP Squared version 11.136.1. The company said the fix ensures potentially dangerous input is scrubbed automatically within the core session-saving process rather than relying on each part of the codebase to do so independently. The patch also adds handling for cases where a per-session encryption key is missing, a condition the original code failed to account for and that attackers used to bypass password encoding entirely.
Before the patch was available, some providers took defensive steps. Namecheap temporarily blocked connections to cPanel and WHM ports 2083 and 2087, saying the action was necessary to protect customers while an official fix was pending; the company began applying the patch after cPanel’s release. KnownHost, a hosting provider that relies on cPanel, reported that successful exploits had been observed in the wild prior to any fix being made available. The Cybersecurity and Infrastructure Security Agency added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) list on Thursday.
What this means for system administrators, hosting providers, and CISA
- System administrators and security teams: scan session files immediately using cPanel’s detection script or watchTowr’s generator, apply patched releases covering branches 11.110.0–11.136.0 (and WP Squared 11.136.1), and look specifically for injected authentication timestamps and embedded newlines in password fields.
- Hosting providers such as Namecheap and KnownHost: consider short-term network mitigations (for example, blocking cPanel/WHM ports) while patches are deployed, and review incident telemetry since KnownHost observed exploitation before a fix was released.
- CISA and regulators: with the CVE added to the KEV list, prioritize outreach and notification to organizations running cPanel/WHM and WP Squared instances, given the high CVSS score and documented in-the-wild exploitation.
The technical chain described by watchTowr — writing untrusted input into a session file before authentication, injecting hidden line breaks, and promoting that data into an active session cache — is a compact and efficient attack path. cPanel’s multi-branch patch and the accompanying detection scripts narrow the window for exploitation, but the large number of exposed instances and reports of successful pre-patch intrusions leave the exact scope of compromise uncertain.
Administrators should prioritize detection and patching now; for the broader community, the immediate question is how many of those roughly 1.5 million exposed cPanel instances have been remediated versus how many remain susceptible to an attack that bypasses password checks entirely.
