If you run a website, manage web hosting, or work in IT, you need to read this. A critical vulnerability in cPanel and WebHost Manager (WHM) — software that manages tens of millions of websites globally — is being actively weaponised by ransomware gangs, botnets, and state-sponsored threat actors. The window to act was short. For many organisations, it already closed.
What Is cPanel and Why Does This Matter?
cPanel and WHM are the control panels that sit behind a significant portion of the internet’s web hosting infrastructure. They manage websites, email accounts, databases, DNS records, and server configurations — all from a single login interface. Security firm watchTowr estimates the software underpins over 70 million domains globally. Censys puts the number of internet-exposed cPanel instances at over 1 million.
That reach is exactly what makes CVE-2026-41940 so alarming.
What Happened?
On April 28, 2026, cPanel’s developer WebPros International published a terse security advisory describing “an issue with session loading and saving.” That understated language masked a catastrophic flaw: a complete authentication bypass that allows any remote attacker — with no credentials whatsoever — to gain administrator-level access to a cPanel or WHM server.
The CVE was formally assigned on April 29, 2026, with a CVSS score of 9.8 out of 10 — as critical as vulnerabilities get.
How Does the Exploit Work?
The technical root cause is a Carriage Return Line Feed (CRLF) injection vulnerability in the way cPanel’s service daemon (cpsrvd) handles authentication sessions.
Here’s the simplified version of what happens:
- Before a user is authenticated,
cpsrvdwrites a new session file to disk. - An attacker can manipulate the
whostmgrsessioncookie by omitting an expected segment of its value, bypassing the encryption normally applied to it. - By injecting raw
\r\ncharacters through a malicious HTTP Authorization header, the attacker can write arbitrary data into that session file — for example,user=root. - When cPanel reloads the session from the file, it interprets the attacker’s injected properties as legitimate, granting administrator-level access.
The result: an unauthenticated attacker on the internet gets full root-equivalent control of the hosting server and everything it manages.
Was It Being Exploited Before the Patch?
Yes — and for months.
KnownHost, a managed cPanel hosting provider, confirmed it observed exploitation attempts dating back to February 23, 2026, a full two months before public disclosure. This means CVE-2026-41940 was used as a zero-day in the wild long before defenders knew it existed.
A webhosting.today source also noted the vulnerability had been privately reported to cPanel approximately two weeks before the April 28 advisory — and that cPanel’s initial response was that nothing was wrong.
The Exploitation Escalated Fast
Within hours of the advisory and a proof-of-concept being published by watchTowr Labs, exploitation became widespread. The timeline of chaos:
- April 29: watchTowr publishes technical analysis and a working proof-of-concept exploit. Namecheap blocks customer access to ports 2083 and 2087 as an emergency measure. Multiple hosting providers including hosting.com, KnownHost, HostPapa, and InMotion follow.
- April 30: Cloudflare issues an emergency WAF rule. CISA adds CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalogue. Cato Networks observes active exploitation and begins virtual patching customers.
- May 1: Shadowserver Foundation reports at least 44,000 IP addresses — likely compromised cPanel hosts — engaging in scanning and brute-force attacks.
- May 2: Threat intelligence firm Ctrl-Alt-Intel identifies a targeted cyber espionage campaign leveraging the vulnerability against government and military entities in Southeast Asia, alongside MSPs and hosting providers in the Philippines, Laos, Canada, South Africa, and the United States.
- May 3: CISA deadline for all Federal Civilian Executive Branch agencies to apply patches.
- May 4: Censys identifies 8,859 internet-exposed hosts with open directories containing files ending in the
.sorryextension — the calling card of a Go-based Linux ransomware strain actively deployed post-compromise.
What Are Attackers Doing Once They’re In?
Multiple threat actor groups are exploiting this vulnerability for different purposes:
Ransomware deployment: A Go-based Linux encryptor is being mass-deployed across compromised cPanel servers, encrypting files and appending the .sorry extension, then dropping a ransom note directing victims to contact operators via the Tox messaging platform.
Botnet recruitment: Compromised servers are being folded into botnets, including a Mirai variant dubbed nuclear.x86, which is then used to conduct further scanning and brute-force attacks against other targets.
Cyber espionage: A nation-state-linked threat actor (with victimology and data exfiltration patterns suggesting a Chinese nexus, though attribution remains unconfirmed) targeted government and military networks across Southeast Asia using the cPanel vulnerability as an initial access vector, combined with a custom exploit chain against an Indonesian defence-sector training portal.
Website defacement and data theft: Mass exploitation has led to widespread defacement of hosted websites and exfiltration of databases, email accounts, and sensitive configuration data.
Scope: What Is Affected?
- cPanel & WHM — all versions after v11.40, fixed in version 11.136.0.5
- WP Squared — versions prior to 136.1.7 (a managed WordPress hosting platform built on cPanel)
- Approximately 1.5 million cPanel instances were exposed to the internet at the time of disclosure (Shodan data via Rapid7)
What Should You Do Right Now?
If you self-manage a cPanel/WHM server:
- Patch immediately. Update to cPanel & WHM 11.136.0.5 or later. Verify by running:
/usr/local/cpanel/cpanel -V - Check for compromise. Run the detection script provided in cPanel’s advisory to search for known indicators of compromise in session files.
- Block control panel ports at the firewall as a temporary measure: TCP ports 2083, 2087, 2095, and 2096.
- Stop the cpsrvd and cpdavd services if you cannot patch immediately.
- If compromise indicators are found, rebuild from clean backups. Evict persistence mechanisms including planted SSH keys, hidden cron jobs, leftover API tokens, sudoers backdoors, and unauthorised users.
If you use managed hosting:
- Contact your hosting provider to confirm patch status.
- If they haven’t patched, ask for your service to be temporarily isolated until they do.
- Review your hosted sites for defacement, unexpected files, or unauthorised admin accounts.
For security teams:
- Hunt for
.sorry-extension files across hosted environments. - Review logs for authentication events on ports 2083 and 2087 from unknown IPs.
- Add CVE-2026-41940 indicators to your threat intelligence feeds immediately.
The Bigger Picture
watchTowr CEO Benjamin Harris put it bluntly: “Within hours of the advisory dropping, nearly every major hosting provider on the planet had firewalled their own customers off their own product.” That’s not a normal patch cycle. That’s a five-alarm fire.
CVE-2026-41940 is a reminder that management-plane vulnerabilities carry outsized risk. A single cPanel server may host hundreds of customer websites, databases, and email accounts. When the management layer falls, everything it manages falls with it.
The combination of a 9.8 CVSS score, a public proof-of-concept, confirmed zero-day exploitation, ransomware deployment, and nation-state interest makes this one of the most consequential vulnerabilities of 2026. If you haven’t patched, you’re not just at risk — you’re likely already a target.
Quick Reference
| Item | Detail |
|---|---|
| CVE | CVE-2026-41940 |
| CVSS Score | 9.8 (Critical) |
| Affected Software | cPanel & WHM (all versions after 11.40), WP Squared |
| Fixed Version | cPanel 11.136.0.5 / WP Squared 136.1.7 |
| Disclosed | April 28, 2026 |
| Zero-Day Exploitation | Confirmed from February 23, 2026 |
| CISA KEV Added | May 1, 2026 |
| Attack Type | Unauthenticated authentication bypass (CRLF injection) |
| Known Post-Exploitation | Ransomware (.sorry), Mirai botnet, espionage, defacement |
Stay ahead of threats like this. Subscribe to our security bulletin for timely advisories, breach breakdowns, and actionable guidance.
