- Severity: CVSS 9.8 (Critical)
- Affected: cPanel & WHM all versions after v11.40, WP Squared < 136.1.7
- Patched: April 28, 2026 · Exploitation: Confirmed in the wild since ~Feb 23, 2026
Introduction
cPanel & WHM is the control panel stack running behind a significant chunk of the internet’s shared hosting infrastructure. WHM is the server-level admin panel. It controls everything from DNS and SSL certificates to user accounts and server-wide configuration. cPanel sits on top as the per-account interface that end users interact with. Together they serve north of 70 million domains globally.
On April 28, 2026, cPanel published an emergency security advisory for a vulnerability that allows a completely unauthenticated attacker to gain full root access to any exposed WHM server, no credentials, no user interaction required. At the time of disclosure, roughly 1.5 million cPanel instances were directly exposed to the internet. CISA added it to the Known Exploited Vulnerabilities (KEV) catalog the next day, and active exploitation had already been underway for roughly two months before the patch was ever released.
What Happened
The vulnerability lives inside cPanel’s session handling mechanism. When an attacker sends a specially crafted HTTP request, they can inject malicious data into a server-side session file. Because cPanel trusts that session file as the source of truth for who is logged in and what permissions they have, the injected data gets read back as a fully authenticated root session, bypassing the login, bypassing two-factor authentication, and granting complete control of the server.
The root cause was a sanitization function that was supposed to clean up dangerous characters before writing session data to disk. It existed in the codebase, but it wasn’t being called on every code path that needed it. One path, triggered by a specific type of HTTP request skipped it entirely. That gap is all it took.
Fig 1: Exploit Chain Overview
How It Was Discovered
This vulnerability was researched and disclosed by watchTowr Labs. All credit for the discovery, technical analysis, and proof-of-concept goes to their team. If you want to understand the full technical details of how the exploit works step by step, their write-up is the definitive source:
The Internet Is Falling Down - cPanel/WHM Authentication Bypass (CVE-2026-41940)
Fig 2: Attack Sequence
Timeline
| Date | Event |
|---|---|
| ~ Feb 23, 2026 | Earliest confirmed in-the-wild exploitation |
| ~ Apr 14, 2026 | Reportedly disclosed to cPanel; initial response: “nothing is wrong” |
| Apr 28, 2026 | Emergency advisory + patches released |
| Apr 29, 2026 | CVE assigned (CVSS 9.8); watchTowr PoC published |
| Apr 30, 2026 | CISA KEV; Shadowserver reports 44K IPs actively exploiting |
The two-month gap between first exploitation and the public patch is what makes this particularly serious. Servers were being compromised long before most administrators had any reason to act.
Affected Versions
| Branch | Fixed in |
|---|---|
| 86.0.x | 11.86.0.41 |
| 110.0.x | 11.110.0.97 |
| 118.0.x | 11.118.0.63 |
| 126.0.x | 11.126.0.54 |
| 130.0.x | 11.130.0.19 |
| 132.0.x | 11.132.0.29 |
| 134.0.x | 11.134.0.20 |
| 136.0.x | 11.136.0.5 |
| WP Squared | 136.1.7 |
All versions after v11.40 were vulnerable. If you’re on an end-of-life branch, no patch is coming, assume the server is compromised and act accordingly.
What You Need to Do
Patch immediately:
/usr/local/cpanel/scripts/upcp --forceIf you can’t patch right away, block WHM and cPanel ports at the firewall (2082, 2083, 2086, 2087, 2095, 2096) to cut off external access in the meantime.
Check for compromise. cPanel released an official detection script, run it as root:
/usr/local/cpanel/scripts/find_cpanel_iocsAfter patching, rotate everything. root passwords, WHM API tokens, cPanel account passwords, and SSH keys. Given that exploitation was happening for two months before the patch, a clean IoC scan is not a guarantee that nothing happened. When in doubt, treat the server as compromised and rebuild.