Published 2 days ago • loading... • Updated 1 day ago

Critical cPanel and WHM Bug Exploited as a Zero-Day, PoC Now Available

A critical authentication bypass vulnerability, tracked as CVE-2026-41940, allows remote attackers to gain full root administrator access to cPanel and Web Host Manager servers with a severity score of 9.8.
According to watchTowr Labs, the flaw involves "Carriage Return Line Feed injection in the login and session loading processes"; KnownHost CEO Daniel Pearson stated the company has "seen execution attempts as early as 2/23/2026."
Approximately 1.5 million cPanel instances are exposed online, according to Rapid7 scans; Namecheap blocked connections to ports 2083 and 2087 to prevent unauthorized access.
Canada's national cybersecurity agency warned that "exploitation is highly probable," while cPanel released patches for versions including 136.0 and added a "Sanitization" function to prevent injection attacks.
While KnownHost observed unauthorized attempts on around 30 servers, security researchers recommend that administrators audit logs and reset credentials if indicators of compromise appear.

Insights by Ground AI

Podcasts & Opinions

Podcast Mention

CyberWire Daily

Daily Cybersecurity and Tech News podcast featuring Dave Bittner, Rick Howard and David Moulton

One copy too many.

CyberWire Daily discuss cPanel/WHM authentication bypass, urgent patches, and temporary port blocks

1 day ago

Listen to Full Episode Full Episode Unlock Timestamp

Get Vantage — Podcasts, Ratings, Timestamps

Podcasts & Opinions

12 Articles

TechCrunch

Center

Hackers are actively exploiting a bug in cPanel, used by millions of websites

Web hosts are scrambling to fix the bug under active attack by hackers. One company said hackers have been abusing the bug for months.

1 day ago·United States

Read Full Article

Tech Radar

Center

'The Internet is falling down': Critical cPanel CRLF injection vulnerability puts tens of millions of websites at risk of total compromise – hosting providers urged to apply CVE-2026-41940 patch immediately

A new critical severity vulnerability can give attackers full control over WHM servers, allowing them to steal data, upload malware, and delete websites.

1 day ago·United Kingdom

Read Full Article

BleepingComputer

Center

Critical cPanel and WHM bug exploited as a zero-day, PoC now available

The critical CVE-2026-41940 authentication bypass vulnerability in cPanel, WHM, and WP Squared is being actively exploited in the wild and has been leveraged in attempts since late February.

2 days ago

Read Full Article

iTnews

cPanel drops patches for exploited authentication bypass zero-day

Detection script released to identify compromised systems.

1 day ago

Read Full Article

Security Boulevard

Imperva Customers Protected Against CVE-2026-41940 in cPanel & WHM

What is CVE-2026-41940? CVE-2026-41940 is a critical authentication bypass vulnerability affecting cPanel & WHM, including DNSOnly, in versions after 11.40. The flaw, discovered by WatchTowr Labs, exists in the login flow and allows unauthenticated remote attackers to gain unauthorized access to the control panel. The vulnerability carries a CVSS 3.1 score of 9.8 and is […] The post Imperva Customers Protected Against CVE-2026-41940 in cPanel & …

1 day ago

Read Full Article

SempreUPdate

Critical cPanel Failure: How to Fix CVE-2026-41940

The discovery of a vulnerability in the cPanel identified as CVE-2026-41940 ignited an urgent alert in the hosting and security community. The failure, classified as zero-day, is being actively explored since February and allows authentication bypasses, opening the way for unauthorized access to servers. Considering the wide adoption of cPanel and WHM in shared hosting environments and VPS, the potential impact is significant. System administrat…

1 day ago

Read Full Article

Think freely.Subscribe and get full access to Ground NewsSubscriptions start at $9.99/year