cPanel Authentication Bypass and New RCE Flaws Put Hosting Servers at Risk
cPanel disclosed and patched a critical authentication bypass in cPanel & WHM, tracked as CVE-2026-41940, after reports of active in-the-wild exploitation against hosting infrastructure. The flaw affects authentication paths in supported versions and can let unauthenticated attackers reach administrative interfaces, forge authenticated sessions, and potentially gain control of hosted websites, databases, email accounts, and server configuration. Government and industry alerts warned that shared hosting environments face outsized risk because a single compromised server can expose many downstream customer sites, and some providers temporarily restricted cPanel and WHM login ports while applying fixes.
Public technical analysis and a GitHub proof-of-concept described an exploit chain involving manipulated HTTP headers and session cookie handling to create forged privileged sessions, including possible root-level WHM access. Separately, cPanel also patched three additional vulnerabilities in cPanel & WHM and WP Squared—CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203—that enable arbitrary file read through path traversal, Perl code injection leading to remote code execution, and denial-of-service via unsafe symlink handling. The most severe of the newly disclosed flaws, CVE-2026-29202, affects the create_user API and can allow arbitrary Perl code execution on the server, reinforcing calls for immediate upgrades, restricted access to management interfaces, and log review for suspicious authorization and cookie activity.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
cPanel urges admins to upgrade after disclosure of new critical flaws
After patching the May vulnerabilities, cPanel advised administrators to upgrade immediately to fixed releases across supported branches, including WP Squared 11.136.1.10 or later. The company highlighted the risk of lateral movement, privilege escalation, and full server compromise in shared hosting environments.
cPanel patches three new flaws in cPanel & WHM and WP Squared
On May 8, 2026, cPanel patched three additional vulnerabilities: CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203. The issues enabled arbitrary file read via path traversal, Perl code injection leading to remote code execution, and denial of service through unsafe symlink handling.
Exploit framework for CVE-2026-41940 appears on GitHub
A GitHub repository named cPanelSniper was published describing and automating exploitation of CVE-2026-41940. The project outlined a session-file CRLF injection technique to obtain forged WHM access and included post-exploitation capabilities.
Public technical analysis details the CVE-2026-41940 bypass chain
Public analysis from watchTowr described an authentication bypass chain involving insufficient sanitization of HTTP headers and insufficient validation of session cookies. The write-up explained how forged authenticated sessions could be created against vulnerable cPanel & WHM instances.
Hosting providers temporarily block cPanel/WHM login ports
Following disclosure of CVE-2026-41940, major hosting providers including Namecheap and KnownHost temporarily blocked cPanel and WHM login ports until patches could be applied. This was a defensive response to ongoing exploitation risk.
Active exploitation of CVE-2026-41940 reported in the wild
Security reporting stated that CVE-2026-41940 was being actively exploited as a 0-day against hosting infrastructure in April 2026. Because cPanel is widely used in shared hosting, successful exploitation could expose many downstream customer sites on a single server.
Authorities warn CVE-2026-41940 is highly likely to be exploited
On April 29, 2026, the Canadian Centre for Cyber Security issued Alert AL26-008 warning that exploitation of CVE-2026-41940 was highly probable. The alert urged immediate patching, restricting access to management interfaces, and reviewing logs for suspicious activity.
cPanel discloses CVE-2026-41940 and releases emergency patches
cPanel disclosed the critical authentication bypass vulnerability CVE-2026-41940 affecting supported cPanel & WHM versions and released patched versions at disclosure. The flaw could allow unauthenticated attackers to access administrative interfaces and compromise hosted websites, databases, email accounts, and server settings.
CentOS Web Panel RCE advisory published
A separate advisory about remote code execution in CentOS Web Panel (CVE-2025-70951) was published by Fenrisk. It is unrelated to the cPanel/WHM vulnerabilities and does not materially advance this story.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
New cPanel and WHM Flaws Enable Code Execution, DoS Attacks - Cyber Security News
cybersecuritynews.com
Open sourceGitHub - ynsmroztas/cPanelSniper: CVE-2026-41940 - cPanel & WHM Authentication Bypass via Session-File CRLF Injection · GitHub
github.com
Open sourceHackers are actively exploiting a bug in cPanel, used by millions of websites | TechCrunch
linkedin.com
Open sourceAL26-008 - Vulnerability affecting cPanel and WebHost Manager (WHM) - CVE-2026-41940 - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceCritical Vulnerability in cPanel and WHM Under Active Exploitation (CVE-2026-41940)
labs.beazley.security
Open sourceRemote code execution in CentOS Web Panel - CVE-2025-70951
fenrisk.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical cPanel & WHM Auth Bypass Exploited for Server Takeover
WebPros cPanel disclosed and patched a critical authentication bypass flaw in **cPanel & WHM** and **WP Squared**, now tracked as `CVE-2026-41940` with a **CVSS 9.8** score. The bug affects all supported cPanel & WHM versions after `11.40` prior to fixed releases, and reporting indicates some unsupported versions are likely vulnerable as well. Researchers said the issue stems from improper session handling tied to a **CRLF injection** in the login flow, allowing unauthenticated remote attackers to poison session data and gain administrator or root-level access to exposed hosting control panels. cPanel released emergency updates across supported branches, published detection guidance, and advised administrators to force updates, restart `cpsrvd`, and investigate session files and logs for signs of compromise. Multiple sources reported the flaw was **actively exploited in the wild** before patches were issued, with hosting providers such as **Namecheap** and **KnownHost** taking emergency action by restricting access to management ports like `2083` and `2087` while deploying fixes. **CISA** added `CVE-2026-41940` to its **Known Exploited Vulnerabilities** catalog and ordered federal agencies to remediate quickly, while national cyber agencies in Canada, Austria, and Belgium also warned of the risk. Public technical analysis, proof-of-concept code, and exploit tooling released after disclosure increased the likelihood of broad opportunistic attacks against internet-exposed cPanel systems, which researchers estimated number in the hundreds of thousands to more than a million, raising the risk of website compromise, credential theft, ransomware, phishing, and multi-tenant hosting breaches.
Jun 8, 2026
Critical cPanel Auth Bypass Fuels Mass Exploitation, Ransomware, and Filemanager Backdoors
Attackers rapidly weaponized the critical cPanel and WHM authentication-bypass flaw **`CVE-2026-41940`** to seize control of exposed hosting servers, with researchers and internet telemetry providers reporting exploitation within a day of disclosure and signs the bug may have been abused earlier. The vulnerability affects cPanel/WHM deployments after 11.40, and reporting tied the surge to a sharp rise in maliciously flagged cPanel hosts, widespread scanning from tens of thousands of IPs, and compromises across a large internet-facing footprint that some estimates placed in the hundreds of thousands to more than a million systems. Post-compromise activity included **Sorry ransomware** encrypting files with the `.sorry` extension, Mirai-related botnet deployment, cryptomining, and website hijacking, prompting CISA to add the flaw to its Known Exploited Vulnerabilities catalog and order federal agencies to patch. Separate investigations found the flaw was also used in targeted intrusions against government, military, MSP, and hosting-provider networks, especially in Southeast Asia, while QiAnXin XLab linked a major campaign to a long-running actor it tracks as **Mr_Rot13**. In that activity, attackers used automated exploitation from more than 2,000 source IPs to install SSH persistence, change root credentials, drop PHP web shells, inject fake cPanel login pages to steal credentials, exfiltrate data to attacker infrastructure and Telegram, and deploy the cross-platform **Filemanager** backdoor for remote command execution. Researchers also reported follow-on use of AdaptixC2, OpenVPN, Ligolo, and custom persistence tooling, as well as theft of about **4.37 GB** of sensitive data, underscoring that the bug enabled both broad opportunistic compromise and more deliberate espionage-style operations.
May 12, 2026
cPanel and WP Squared Security Updates Address Multiple Vulnerabilities
cPanel published security advisories `SEC-73728` and `SEC-73755` covering vulnerabilities in **cPanel & WHM** and **WP Squared**, prompting follow-on guidance from the Canadian Centre for Cyber Security. The advisories affect multiple cPanel & WHM releases, including `11.86.0.45`, `11.94.0.32`, `11.102.0.43`, `11.110.0.120` (`cl6110`), `11.110.0.121`, `11.118.0.68`, `11.124.0.41`, `11.126.0.62`, `11.130.0.26`, `11.132.0.35`, `11.134.0.29`, and `11.136.0.13`, along with **WP Squared** `11.136.1.16` and earlier. Canada’s Cyber Centre advised administrators to review both vendor bulletins and apply the required patches to exposed systems. The notices indicate that organizations running affected hosting management platforms and WordPress management components should prioritize updates across supported branches to remediate the disclosed flaws.
May 25, 2026