The vulnerability, tracked as CVE-2026-41940, affects cPanel & WHM versions after 11.40, including DNSOnly, as well as WP Squared versions up to 136.1.6. It carries a CVSS score of 9.8, placing it in the critical category because an attacker can exploit it remotely without credentials or user interaction. The flaw was publicly addressed by cPanel on 28 April 2026, with patched versions issued across supported release tiers and selected legacy branches.
The weakness sits in cPanel & WHM’s session management layer. One code path that wrote session files applied input sanitisation, while another path invoked through Basic authentication did not. That gap allowed crafted requests to cause an unauthenticated session to be treated as authenticated, granting access without valid login details. Security researchers have described the exploit chain as involving carriage return line feed injection, manipulation of session-file handling and promotion of attacker-controlled values into a privileged session.
Successful exploitation is especially serious because WHM provides root-level administration over hosting servers. Control of WHM can expose hosted websites, databases, email accounts, configuration files, backups and user credentials. For shared hosting providers, compromise of one management server can affect multiple customer sites, magnifying the operational and reputational fallout.
cPanel said updates were made available within about 28 hours of confirming a verified and reproducible report. The company also said more than 98 per cent of servers worldwide were running an updated version of cPanel & WHM by 10 May 2026, while mitigation options remained available for customers unable to update immediately. Those measures include blocking selected cpsrvd service ports and applying ModSecurity rules, along with a detection script designed to scan session files for indicators linked to exploitation.
The vulnerability was added to the US Known Exploited Vulnerabilities catalogue on 30 April 2026, with a 3 May deadline for remediation across covered federal systems. The catalogue entry identifies the issue as missing authentication for a critical function in WebPros cPanel & WHM and WP2, and directs affected organisations to apply vendor mitigations or discontinue use where mitigations are unavailable.
Threat activity has broadened since disclosure. Qianxin XLab said its monitoring detected more than 2,000 attacker source IPs involved in automated attacks and cybercrime activity targeting the flaw, with traffic originating from several regions, including Germany, the United States, Brazil and the Netherlands. The activity observed around the bug includes cryptomining, ransomware, botnet propagation and backdoor deployment.
One cluster highlighted by researchers is Mr_Rot13, a group described as having operated for several years and linked to backdoor deployment through infrastructure overlaps and malicious payload analysis. XLab said its investigation found a Go-based infector associated with exploitation of CVE-2026-41940, along with Turkish-language log messages that appeared to be generated by artificial intelligence. Attribution remains a developing area, but the findings point to rapid weaponisation by financially motivated and opportunistic actors rather than a single campaign.
The timeline has raised concern because proof-of-concept material and technical analysis became available shortly after disclosure. Rapid7 noted that internet-exposed systems were vulnerable by default and that a broad query suggested around 1.5 million cPanel instances could be visible online, though exposure does not always mean a system remains unpatched or exploitable.
Administrators have been urged to move beyond version checks alone. Security teams are being advised to confirm that patched builds are installed, inspect session directories, review newly created accounts, rotate root and reseller credentials, audit SSH keys, examine sudoers changes, check for added ports and look for unexpected web shells or modified authentication settings. Reports from affected users have described ransomware-style outcomes, including file encryption and persistence mechanisms after initial control-panel compromise.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
