
In late April 2026, the critical authentication bypass vulnerability CVE-2026-41940 affecting cPanel & WHM was publicly disclosed. The vulnerability was rated CVSS 9.8 (Critical) and involves a structural flaw that allows unauthenticated remote attackers to gain unauthorized access to cPanel and WHM management interfaces. Shortly after disclosure, the vulnerability moved beyond theoretical risk and began to be actively exploited in real-world attacks involving backdoor installation, credential theft, web shell deployment, botnet propagation, and ransomware activity.
cPanel and WHM are core administrative panels used in web hosting environments to manage websites, accounts, domains, databases, email services, and server configurations. As a result, successful exploitation of this vulnerability could lead not only to compromise of a single web application, but also to full attacker control over multiple hosted websites, databases, and hosting accounts managed by the affected server. CVE-2026-41940 was subsequently added to the CISA Known Exploited Vulnerabilities (KEV) catalog and classified as a vulnerability requiring immediate action.
This article analyzes the technical root cause and real-world attack flow of CVE-2026-41940, and examines why internet-exposed cPanel/WHM management interfaces become immediate attack surfaces when identified through Criminal IP.
Overview of CVE-2026-41940

| Category | Description |
|---|---|
| Vulnerability ID | CVE-2026-41940 |
| Affected Products | cPanel & WHM, WP Squared |
| Vulnerability Type | Authentication Bypass via CRLF Injection |
| CVSS Score | 9.8 (Critical) |
| Impact | Authentication bypass, admin privilege acquisition, access to server settings and databases |
| Exploitation Status | Actively exploited in the wild, listed in CISA KEV |
According to the official security advisory, cPanel & WHM versions after 11.40 are affected, and patches have been released across multiple supported branches. Certain versions of WP Squared are also included in the affected scope.
Patched versions include:
- 11.86.0.41 or later
- 11.94.0.28 or later
- 11.102.0.39 or later
- 11.110.0.97 or later
- 11.118.0.63 or later
- 11.124.0.35 or later
- 11.126.0.54 or later
- 11.130.0.19 or later
- 11.132.0.29 or later
- 11.134.0.20 or later
- 11.136.0.5 or later
Real-World Attack Flow: From Authentication Bypass to Backdoor Deployment

The danger of CVE-2026-41940 lies not only in the severity of the vulnerability itself, but also in the fact that real-world exploitation has already become automated. According to publicly available reports, attackers are conducting large-scale scans targeting vulnerable cPanel/WHM instances, gaining administrative access through authentication bypass, and subsequently deploying malicious scripts and backdoors.
The attack flow can be summarized as follows:
- Identification of internet-exposed cPanel/WHM management interfaces
- Exploitation of the authentication bypass vulnerability to obtain administrator-level sessions
- Insertion of SSH public keys or web shells into the server
- Establishment of file upload/download and remote command execution capabilities
- Credential theft through login page modification or malicious script injection
- Backdoor deployment and persistence establishment
- Expansion of compromise into additional websites, databases, and account information
In several observed attacks, threat actors were reported to collect bash history, SSH-related data, device information, database passwords, and cPanel virtual alias information from compromised servers. This demonstrates that attackers are not merely gaining access to the management panel itself, but are also harvesting operational and authentication data for further compromise or lateral movement. Because cPanel/WHM environments often manage multiple websites and accounts on a single server, obtaining WHM-level privileges grants attackers access not only to a single hosting account, but to the entire server’s configuration, web roots, databases, and credentials. As a result, CVE-2026-41940 has a significantly broader blast radius than a typical web application vulnerability.
Internet-Exposed cPanel Assets Observable Through Criminal IP
To assess the exposure status of internet-facing cPanel/WHM instances, Criminal IP Asset Search can be used with search conditions reflecting cPanel service characteristics.

Criminal IP Search Query: title: cPanel
Because the cPanel web interface exposes the service name directly in the login page title, externally accessible cPanel instances can be identified through simple HTML title–based searches. This query is useful for broadly identifying internet-facing assets exposing cPanel-related web interfaces without specifying a particular port condition. Using Criminal IP Asset Search, a total of 2,954 assets were identified.
The query was then refined further to separately analyze exposure of the cPanel user interface and the WHM administrator interface.

Criminal IP Search Query: title: cPanel AND port: 2083
This query was used to analyze related assets in greater detail. It specifically identifies systems exposing the cPanel web interface over port 2083, the default HTTPS management port for cPanel. Because port 2083 is commonly used for user access to cPanel accounts, identifying both the cPanel title and an externally accessible 2083 port strongly suggests that the actual cPanel management interface is directly reachable from the internet. A total of 147 instances were identified, and these assets can be considered high-risk exposed systems requiring prioritized review in relation to CVE-2026-41940.

Criminal IP Search Query: title: WHM AND port: 2087
WHM (Web Host Manager) is the root-level management interface used to administer an entire hosting server and operates by default on port 2087. The ultimate objective of CVE-2026-41940 exploitation is acquisition of a WHM root session. As a result, assets identified through the query title: WHM AND port: 2087 represent the highest-risk asset group, where both the management interface and service port are simultaneously exposed to the internet. Because WHM root privileges provide full control over all websites, databases, email accounts, and hosting configurations managed on the server, compromise of these assets can expand far beyond a single system, potentially affecting dozens or even hundreds of hosted websites simultaneously.
These findings demonstrate that while cPanel/WHM is widely used for operational convenience in web hosting environments, externally exposed management interfaces can also become easily identifiable attack surfaces. In vulnerabilities such as CVE-2026-41940, where authentication bypass can lead directly to administrator-level access, organizations must verify not only patch status but also whether management ports remain externally accessible.
Mitigation and Recommendations
According to the official security advisory, patches for CVE-2026-41940 have been released across multiple cPanel & WHM versions. Administrators are strongly advised to immediately update to patched versions and restart the cPanel service daemon. The use of official detection scripts to identify known indicators of compromise is also recommended.
Organizations should prioritize the following response actions:
1. Apply the Latest cPanel & WHM Patches
Affected environments should be updated immediately to patched versions. Administrators should verify the actual installed build version rather than relying solely on automatic update status.
2. Restart cpsrvd and Verify Service Status
After patching, organizations must confirm that the cPanel service daemon restarted correctly. If legacy processes remain active or services fail to reload properly, patch effectiveness may be incomplete.
3. Restrict External Access to Management Ports
cPanel/WHM management ports should not be directly accessible from the public internet whenever possible. Particular attention should be given to the following ports:
- 2083: cPanel HTTPS
- 2087: WHM HTTPS
- 2095: Webmail HTTP
- 2096: Webmail HTTPS
Administrative access should ideally be restricted through VPNs, allowlisted IP ranges, zero-trust access controls, or firewall policies.
4. Investigate Signs of Compromise
Organizations must not assume that exploitation has not already occurred. Investigation should focus on:
- Abnormal WHM login activity
- Suspicious session files
- Unauthorized SSH public keys
- PHP web shells or suspicious files in web roots
- Login page or JavaScript tampering
- Creation of unknown administrator accounts
- Persistence mechanisms in cron, systemd, or init scripts
- Potential leakage of database passwords and API keys
5. Rotate Credentials and Keys
If compromise may have occurred before patching, credentials and API keys should be considered potentially exposed. Organizations should rotate:
- cPanel/WHM administrator credentials
- SSH keys
- Database accounts
- Web application secret keys
- Email account passwords
6. Revalidate External Exposure
Even after patching and internal investigation, organizations should verify whether management interfaces remain externally identifiable. Attack Surface Management solutions such as Criminal IP ASM should be used to continuously monitor domains, IP ranges, and hosting infrastructure for exposed cPanel/WHM services.
FAQ
Q1. Why is CVE-2026-41940 particularly dangerous?
CVE-2026-41940 is an authentication bypass vulnerability that allows unauthenticated remote attackers to gain unauthorized access to cPanel/WHM management interfaces. Unlike typical vulnerabilities, attackers do not need preexisting administrator credentials. If a vulnerable service is externally exposed, exploitation attempts become immediately possible. In addition, cPanel/WHM functions as a centralized control layer for servers and multiple hosting accounts, not just a single website. Once WHM privileges are obtained, attackers may gain access to website files, databases, account settings, email systems, domains, and server configurations. As a result, the vulnerability can lead not merely to application compromise, but to full hosting server compromise.
Q2. Is patching alone sufficient?
Applying patches is essential, but not sufficient on its own. CVE-2026-41940 has already been exploited in real-world attacks, with observed attack flows involving web shells, SSH keys, backdoors, and credential theft. If attackers gained access before patching, they may retain persistence mechanisms allowing re-entry even after the vulnerability itself is fixed. Organizations should therefore combine patching with compromise investigation, removal of suspicious files, credential and key rotation, log analysis and external exposure management. In particular, if cPanel/WHM management ports remain internet-accessible, those systems may become high-risk targets again when future vulnerabilities are disclosed.
Conclusion
CVE-2026-41940 demonstrates how quickly externally exposed hosting management panels such as cPanel/WHM can become the source of large-scale compromise. While the authentication bypass itself is critical, the larger issue is that attackers can automatically identify internet-exposed management interfaces and move rapidly from exploitation to full server compromise. Patching remains the most fundamental response measure. However, in already-compromised environments, patching alone cannot remove backdoors, stolen credentials, tampered login pages, or additional malicious files.
Organizations must therefore combine patch deployment with:
- External asset identification
- Restriction of management port exposure
- Investigation of compromise indicators
- Credential rotation
- Continuous ASM-based validation
In relation to this, you can refer to CVE-2026-3854: GitHub RCE Vulnerability Triggered by a Single git push
You can subscribe to Criminal IP (criminalip.io/register) and start detecting vulnerable assets right away. You can also request a demo using the button below and explore Criminal IP’s threat intelligence (TI) analysis of externally exposed assets at the enterprise level.

This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.
Resource: Criminal IP(https://www.criminalip.io), SECURITYWEEK (https://www.securityweek.com/over-40000-servers-compromised-in-ongoing-cpanel-exploitation/), HELPNET SECURITY (https://www.helpnetsecurity.com/2026/04/30/cpanel-zero-day-vulnerability-cve-2026-41940-exploited/), TheHackerNews (https://thehackernews.com/2026/05/cpanel-cve-2026-41940-under-active.html)
Related article: https://www.criminalip.io/knowledge-hub/blog/34700
