cPanel Zero-Day CVE-2026-41940 Has Been Actively Exploited Since February — PoC Is Now Public and 1.5 Million Instances Are at Risk
A critical zero-day authentication bypass vulnerability in cPanel and WHM — the world's most widely deployed web hosting control panel software — is being actively exploited in the wild, with evidence suggesting attacks began as far back as February 2026. The flaw, tracked as CVE-2026-41940, carries a near-maximum CVSS score of 9.8 and allows unauthenticated remote attackers to completely bypass login controls and gain full root-level administrative access to affected servers without any valid credentials.
cPanel disclosed the vulnerability on April 28, 2026, and a public proof-of-concept exploit has since been released by watchTowr Labs, dramatically lowering the barrier to mass exploitation. A Shodan analysis estimates approximately 1.5 million internet-exposed cPanel instances are potentially at risk.
The vulnerability stems from a combination of CRLF injection and critically flawed session-handling logic within the cpsrvd daemon — the core service responsible for authentication in cPanel and WHM. Attackers exploit the flaw by minting a pre-authentication session, injecting malicious input including arbitrary parameters such as user=root into session files, and manipulating the do_token_denied function to extract and propagate a valid root session token through the server's internal cache.
The attack chain bypasses password verification entirely by injecting session attributes that signal a completed and successful login. The full exploit unfolds in four distinct steps and requires no user interaction, making it trivially automatable against any internet-facing cPanel or WHM instance running a vulnerable build.
watchTowr researcher Sina Kheirkhah published the detection artifact generator and PoC script targeting port 2087, the WHM administrative port, confirming successful root-level access against vulnerable versions.
cPanel and WHM are used to manage tens of millions of domains across shared hosting, VPS, and enterprise hosting environments globally. WHM provides root-level administrative access to the entire server, while cPanel manages individual site owners' accounts — meaning a single successful exploit exposes every hosted domain, email account, database, and file system on the compromised server.
Attackers who gain root access through this vulnerability can deploy ransomware across all hosted sites, exfiltrate sensitive customer data at scale, modify server configurations, establish persistent backdoors, and use the compromised infrastructure as a launch point for downstream attacks against third parties. Multiple global hosting providers have already taken cPanel-based control panels offline as a precautionary measure while emergency patches are deployed.
cPanel has released emergency patches across all supported version branches. Administrators must update to the following patched releases without delay: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5, and WP Squared version 136.1.7. The fastest update path is running the command /scripts/upcp --force followed by restarting cpsrvd via /scripts/restartsrv_cpsrvd. Servers with auto