CISA warns critical cPanel and WHM flaw is now exploited in attacks

CISA has added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog, warning that attackers are actively exploiting a critical cPanel and WHM authentication bypass flaw.

The bug affects WebPros cPanel & WHM and WP Squared. It can let a remote attacker bypass login checks and gain unauthorized access to administrative control panels without valid credentials.

This is an urgent issue for hosting providers, managed service providers, agencies, and businesses that run their own cPanel servers. If a server remains unpatched, attackers may gain control over hosted websites, databases, email accounts, and server settings.

What happened

CISA added the vulnerability to the KEV catalog on April 30, 2026. The agency set May 3, 2026, as the remediation deadline for U.S. federal civilian agencies.

Because that date has passed, exposed servers that still run vulnerable builds should move into emergency patching and incident review. Public reporting now links the flaw to active exploitation, ransomware activity, and malware deployment.

WebPros published security updates for affected cPanel & WHM branches and WP Squared. cPanel also updated its guidance several times after the initial advisory, including changes to patched version details and the detection script.

At a glance

Item	Details
CVE ID	CVE-2026-41940
Affected products	cPanel & WHM, including DNSOnly, and WP Squared
Vulnerability type	Missing authentication for a critical function
Weakness	CWE-306
Severity	Critical, CVSS 9.8
CISA KEV date	April 30, 2026
CISA deadline	May 3, 2026

Why CVE-2026-41940 is dangerous

The flaw sits in the login flow of cPanel and WHM. Security researchers describe it as a pre-authentication bypass, which means an attacker may reach privileged access before normal login checks stop them.

The issue involves how cPanel handles session loading and saving. Public technical analysis says the attack uses CRLF injection in the login and session process to manipulate session data.

For regular users, the technical details matter less than the outcome. A successful attack may give intruders administrative access to the hosting control panel, which can expose every website and account managed through that server.

Who is affected

cPanel says the authentication bypass affects all cPanel software versions after 11.40, including DNSOnly. The vendor has released patched builds across several supported branches.

WP Squared is also affected, and WebPros lists version 136.1.7 and later as patched. Server owners should not rely on automatic updates alone, especially when updates have been disabled or a server has been pinned to a specific version.

Hosting customers who do not manage their own servers should contact their provider and ask for patch confirmation. This matters because many website owners use cPanel every day without directly managing the underlying WHM server.

Patched versions

Product branch	Patched version
cPanel & WHM 11.86	11.86.0.41 or later
cPanel & WHM 11.110	11.110.0.97 or later
cPanel & WHM 11.118	11.118.0.63 or later
cPanel & WHM 11.124	11.124.0.35 or later
cPanel & WHM 11.126	11.126.0.54 or later
cPanel & WHM 11.130	11.130.0.19 or later
cPanel & WHM 11.132	11.132.0.29 or later
cPanel & WHM 11.134	11.134.0.20 or later
cPanel & WHM 11.136	11.136.0.5 or later
WP Squared	136.1.7 or later

Attacks have expanded beyond simple probing

Early warnings focused on the authentication bypass itself. Since then, reports have described wider exploitation against internet-facing cPanel systems.

Some attacks reportedly deployed a Linux ransomware strain known as Sorry. In those incidents, attackers encrypted website files and added the .sorry extension to affected data.

Other reporting points to Mirai-related activity, with compromised servers used for malware deployment, persistence, scanning, and attacks against other systems. This turns a vulnerable hosting panel into a risk for every site on the same server.

What administrators should do now

• Run the forced cPanel update process if the server has not reached a patched build.
• Verify the installed cPanel version after updating.
• Restart the cPanel service after the update completes.
• Check whether automatic updates were disabled or pinned to an older build.
• Run the latest cPanel detection script, especially if an earlier version of the script was used.
• Review session files, access logs, SSH keys, cron jobs, and unexpected WHM accounts.
• Rotate credentials if compromise looks possible.
• Restore from clean backups if signs of compromise appear.

Temporary mitigation is not a replacement for patching

cPanel lists temporary mitigation steps for environments that cannot update immediately. These include blocking inbound traffic to cPanel and WHM service ports or stopping affected services.

Those options may reduce exposure, but they also affect normal hosting operations. They should only serve as emergency controls until the server can move to a supported patched version.

Unsupported systems create a bigger problem. If a server cannot receive the security update, the safer route is to migrate to a supported environment instead of leaving the control panel exposed.

Why hosting panels are high-value targets

cPanel and WHM sit close to the core of many hosting environments. WHM can manage server-level settings, while cPanel gives access to website files, email, databases, and account tools.

That makes the impact broader than a single website login. On shared hosting servers, one compromised control panel can create downstream risk for many domains and customers.

Attackers can use this kind of access to deface pages, steal data, plant backdoors, create new accounts, change DNS-related settings, deploy malware, or encrypt hosted files. Administrators should treat any suspected compromise as a full server incident.

FAQ