Contact Us
Blog

CVE-2026-41940: Analysis of the cPanel Authentication Bypass Vulnerability

This article analyzes the attack flow of CVE-2026-41940 and examines internet-exposed cPanel/WHM management interfaces through Criminal IP.

In late April 2026, the critical authentication bypass vulnerability CVE-2026-41940 affecting cPanel & WHM was publicly disclosed. The vulnerability was rated CVSS 9.8 (Critical) and involves a structural flaw that allows unauthenticated remote attackers to gain unauthorized access to cPanel and WHM management interfaces. Shortly after disclosure, the vulnerability moved beyond theoretical risk and began to be actively exploited in real-world attacks involving backdoor installation, credential theft, web shell deployment, botnet propagation, and ransomware activity.

cPanel and WHM are core administrative panels used in web hosting environments to manage websites, accounts, domains, databases, email services, and server configurations. As a result, successful exploitation of this vulnerability could lead not only to compromise of a single web application, but also to full attacker control over multiple hosted websites, databases, and hosting accounts managed by the affected server. CVE-2026-41940 was subsequently added to the CISA Known Exploited Vulnerabilities (KEV) catalog and classified as a vulnerability requiring immediate action.

This article analyzes the technical root cause and real-world attack flow of CVE-2026-41940, and examines why internet-exposed cPanel/WHM management interfaces become immediate attack surfaces when identified through Criminal IP.

Overview of CVE-2026-41940

AI-generated image illustrating the overview of the cPanel authentication bypass vulnerability
CategoryDescription
Vulnerability IDCVE-2026-41940
Affected ProductscPanel & WHM, WP Squared
Vulnerability TypeAuthentication Bypass via CRLF Injection
CVSS Score9.8 (Critical)
ImpactAuthentication bypass, admin privilege acquisition, access to server settings and databases
Exploitation StatusActively exploited in the wild, listed in CISA KEV

According to the official security advisory, cPanel & WHM versions after 11.40 are affected, and patches have been released across multiple supported branches. Certain versions of WP Squared are also included in the affected scope.

Patched versions include:

  • 11.86.0.41 or later
  • 11.94.0.28 or later
  • 11.102.0.39 or later
  • 11.110.0.97 or later
  • 11.118.0.63 or later
  • 11.124.0.35 or later
  • 11.126.0.54 or later
  • 11.130.0.19 or later
  • 11.132.0.29 or later
  • 11.134.0.20 or later
  • 11.136.0.5 or later

Real-World Attack Flow: From Authentication Bypass to Backdoor Deployment

AI-generated image illustrating the attack flow

The danger of CVE-2026-41940 lies not only in the severity of the vulnerability itself, but also in the fact that real-world exploitation has already become automated. According to publicly available reports, attackers are conducting large-scale scans targeting vulnerable cPanel/WHM instances, gaining administrative access through authentication bypass, and subsequently deploying malicious scripts and backdoors.

The attack flow can be summarized as follows:

  • Identification of internet-exposed cPanel/WHM management interfaces
  • Exploitation of the authentication bypass vulnerability to obtain administrator-level sessions
  • Insertion of SSH public keys or web shells into the server
  • Establishment of file upload/download and remote command execution capabilities
  • Credential theft through login page modification or malicious script injection
  • Backdoor deployment and persistence establishment
  • Expansion of compromise into additional websites, databases, and account information

In several observed attacks, threat actors were reported to collect bash history, SSH-related data, device information, database passwords, and cPanel virtual alias information from compromised servers. This demonstrates that attackers are not merely gaining access to the management panel itself, but are also harvesting operational and authentication data for further compromise or lateral movement. Because cPanel/WHM environments often manage multiple websites and accounts on a single server, obtaining WHM-level privileges grants attackers access not only to a single hosting account, but to the entire server’s configuration, web roots, databases, and credentials. As a result, CVE-2026-41940 has a significantly broader blast radius than a typical web application vulnerability.

Internet-Exposed cPanel Assets Observable Through Criminal IP

To assess the exposure status of internet-facing cPanel/WHM instances, Criminal IP Asset Search can be used with search conditions reflecting cPanel service characteristics.

Criminal IP Asset Search results for title: cPanel

Criminal IP Search Query: title: cPanel

Because the cPanel web interface exposes the service name directly in the login page title, externally accessible cPanel instances can be identified through simple HTML title–based searches. This query is useful for broadly identifying internet-facing assets exposing cPanel-related web interfaces without specifying a particular port condition. Using Criminal IP Asset Search, a total of 2,954 assets were identified.

The query was then refined further to separately analyze exposure of the cPanel user interface and the WHM administrator interface.

Criminal IP Asset Search results for title: cPanel AND port: 2083

Criminal IP Search Query: title: cPanel AND port: 2083

This query was used to analyze related assets in greater detail. It specifically identifies systems exposing the cPanel web interface over port 2083, the default HTTPS management port for cPanel. Because port 2083 is commonly used for user access to cPanel accounts, identifying both the cPanel title and an externally accessible 2083 port strongly suggests that the actual cPanel management interface is directly reachable from the internet. A total of 147 instances were identified, and these assets can be considered high-risk exposed systems requiring prioritized review in relation to CVE-2026-41940.

Criminal IP Asset Search results for title: WHM AND port: 2087

Criminal IP Search Query: title: WHM AND port: 2087

WHM (Web Host Manager) is the root-level management interface used to administer an entire hosting server and operates by default on port 2087. The ultimate objective of CVE-2026-41940 exploitation is acquisition of a WHM root session. As a result, assets identified through the query title: WHM AND port: 2087 represent the highest-risk asset group, where both the management interface and service port are simultaneously exposed to the internet. Because WHM root privileges provide full control over all websites, databases, email accounts, and hosting configurations managed on the server, compromise of these assets can expand far beyond a single system, potentially affecting dozens or even hundreds of hosted websites simultaneously.

These findings demonstrate that while cPanel/WHM is widely used for operational convenience in web hosting environments, externally exposed management interfaces can also become easily identifiable attack surfaces. In vulnerabilities such as CVE-2026-41940, where authentication bypass can lead directly to administrator-level access, organizations must verify not only patch status but also whether management ports remain externally accessible.

Mitigation and Recommendations

According to the official security advisory, patches for CVE-2026-41940 have been released across multiple cPanel & WHM versions. Administrators are strongly advised to immediately update to patched versions and restart the cPanel service daemon. The use of official detection scripts to identify known indicators of compromise is also recommended.

Organizations should prioritize the following response actions:

1. Apply the Latest cPanel & WHM Patches

Affected environments should be updated immediately to patched versions. Administrators should verify the actual installed build version rather than relying solely on automatic update status.

2. Restart cpsrvd and Verify Service Status

After patching, organizations must confirm that the cPanel service daemon restarted correctly. If legacy processes remain active or services fail to reload properly, patch effectiveness may be incomplete.

3. Restrict External Access to Management Ports

cPanel/WHM management ports should not be directly accessible from the public internet whenever possible. Particular attention should be given to the following ports:

  • 2083: cPanel HTTPS
  • 2087: WHM HTTPS
  • 2095: Webmail HTTP
  • 2096: Webmail HTTPS

Administrative access should ideally be restricted through VPNs, allowlisted IP ranges, zero-trust access controls, or firewall policies.

4. Investigate Signs of Compromise

Organizations must not assume that exploitation has not already occurred. Investigation should focus on:

  • Abnormal WHM login activity
  • Suspicious session files
  • Unauthorized SSH public keys
  • PHP web shells or suspicious files in web roots
  • Login page or JavaScript tampering
  • Creation of unknown administrator accounts
  • Persistence mechanisms in cron, systemd, or init scripts
  • Potential leakage of database passwords and API keys

5. Rotate Credentials and Keys

If compromise may have occurred before patching, credentials and API keys should be considered potentially exposed. Organizations should rotate:

  • cPanel/WHM administrator credentials
  • SSH keys
  • Database accounts
  • Web application secret keys
  • Email account passwords

6. Revalidate External Exposure

Even after patching and internal investigation, organizations should verify whether management interfaces remain externally identifiable. Attack Surface Management solutions such as Criminal IP ASM should be used to continuously monitor domains, IP ranges, and hosting infrastructure for exposed cPanel/WHM services.

FAQ

Q1. Why is CVE-2026-41940 particularly dangerous?

CVE-2026-41940 is an authentication bypass vulnerability that allows unauthenticated remote attackers to gain unauthorized access to cPanel/WHM management interfaces. Unlike typical vulnerabilities, attackers do not need preexisting administrator credentials. If a vulnerable service is externally exposed, exploitation attempts become immediately possible. In addition, cPanel/WHM functions as a centralized control layer for servers and multiple hosting accounts, not just a single website. Once WHM privileges are obtained, attackers may gain access to website files, databases, account settings, email systems, domains, and server configurations. As a result, the vulnerability can lead not merely to application compromise, but to full hosting server compromise.

Q2. Is patching alone sufficient?

Applying patches is essential, but not sufficient on its own. CVE-2026-41940 has already been exploited in real-world attacks, with observed attack flows involving web shells, SSH keys, backdoors, and credential theft. If attackers gained access before patching, they may retain persistence mechanisms allowing re-entry even after the vulnerability itself is fixed. Organizations should therefore combine patching with compromise investigation, removal of suspicious files, credential and key rotation, log analysis and external exposure management. In particular, if cPanel/WHM management ports remain internet-accessible, those systems may become high-risk targets again when future vulnerabilities are disclosed.

Conclusion

CVE-2026-41940 demonstrates how quickly externally exposed hosting management panels such as cPanel/WHM can become the source of large-scale compromise. While the authentication bypass itself is critical, the larger issue is that attackers can automatically identify internet-exposed management interfaces and move rapidly from exploitation to full server compromise. Patching remains the most fundamental response measure. However, in already-compromised environments, patching alone cannot remove backdoors, stolen credentials, tampered login pages, or additional malicious files.

Organizations must therefore combine patch deployment with:

  • External asset identification
  • Restriction of management port exposure
  • Investigation of compromise indicators
  • Credential rotation
  • Continuous ASM-based validation

In relation to this, you can refer to CVE-2026-3854: GitHub RCE Vulnerability Triggered by a Single git push

You can subscribe to Criminal IP (criminalip.io/register) and start detecting vulnerable assets right away. You can also request a demo using the button below and explore Criminal IP’s threat intelligence (TI) analysis of externally exposed assets at the enterprise level.


This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.

Resource: Criminal IP(https://www.criminalip.io), SECURITYWEEK (https://www.securityweek.com/over-40000-servers-compromised-in-ongoing-cpanel-exploitation/), HELPNET SECURITY (https://www.helpnetsecurity.com/2026/04/30/cpanel-zero-day-vulnerability-cve-2026-41940-exploited/), TheHackerNews (https://thehackernews.com/2026/05/cpanel-cve-2026-41940-under-active.html)

Related article: https://www.criminalip.io/knowledge-hub/blog/34700

CVE-2026-41940: Analysis of the cPanel Authentication Bypass Vulnerability | CIP Blog | Criminal IP