The global web hosting industry is on high alert following the discovery of a critical 0-day vulnerability in cPanel & WHM. Tracked as CVE-2026-41940, this flaw carries a near-perfect CVSS score of 9.8.
It allows unauthenticated remote attackers to bypass the login screen entirely, granting them administrative “root” access to the server. With cPanel powering an estimated 2 million+ internet-facing instances, the “blast radius” includes millions of hosted websites, databases, and email accounts. +1
The Exploit: How the “watchTowr” PoC Works
Security researchers at watchTowr have released a technical deep dive and a functional Proof-of-Concept (PoC) exploit, significantly lowering the barrier for entry for threat actors.
The attack chain utilizes a Carriage Return Line Feed (CRLF) injection within the login flow. By manipulating the whostmgrsession cookie and the HTTP authorization headers, an attacker can:
- Inject raw
\r\ncharacters into the session loading process. - Force the server to write a session file to the disk containing arbitrary properties (e.g.,
user=root). - Hijack the session token without ever providing a valid password.
The result? The attacker is granted full WHM access, allowing them to modify files, install malware, or pivot into private customer networks.
Active Exploitation: “Already in the Wild”
This is not a theoretical threat. Reports from hosting providers like Namecheap and KnownHost indicate that the vulnerability has been under active exploitation as a 0-day for at least 30 days.
Hosting giants have taken the unprecedented step of blocking ports 2083 and 2087 at the firewall level to protect customers while emergency patches are deployed.
Immediate Action Required: Patched Versions
cPanel accelerated its patch rollout on April 28, 2026. Administrators must ensure their systems are running one of the following fixed builds:
| Branch | Patched Version |
|---|---|
| Mainline/LTS | 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54 |
| Current/Edge | 11.130.0.19, 11.132.0.29, 11.134.0.20, 11.136.0.5 |
| WP Squared | 136.1.7 |
Export to Sheets
The “Force Update” Command:
Run the following as root to bypass any pinned version restrictions and pull the emergency fix: # /scripts/upcp --force
Emergency Mitigations (If You Can’t Patch)
If an immediate update is not possible—particularly on legacy or unsupported versions—you must implement these defenses now:
- Firewall Lockdown: Block inbound traffic to ports 2083 (cPanel), 2087 (WHM), 2095, and 2096 except for trusted administrator IP addresses.
- Service Suspension: Stop the
cpsrvdandcpdavdservices entirely to close the attack surface. - Audit for Backdoors: If you were running an unpatched version in the last 48 hours, audit your
/var/cpanel/sessions/directory and check for unauthorized root-level accounts.
Conclusion: The Management Plane is Vulnerable
CVE-2026-41940 is a “management-plane” disaster. When the tool used to secure the server is itself compromised, the entire ecosystem is at risk. Because this flaw allows for unauthenticated root access, any server currently visible to the public internet should be treated as a potential target.
