What's Happening?
A critical authentication bypass vulnerability, identified as CVE-2026-41940, has been discovered in cPanel, WHM, and WP Squared, leading to active exploitation attempts since late February. KnownHost, a hosting provider, reported seeing execution attempts as early
as February 23, 2026. The vulnerability involves a Carriage Return Line Feed (CRLF) injection in the login and session loading processes, allowing attackers to bypass authentication. cPanel released a fix on April 28, 2026, after pressure from hosting providers. Namecheap temporarily blocked connections to cPanel and WHM ports to protect customers. The flaw is caused by improper session handling, where user input is written into server-side session files without proper sanitization.
Why It's Important?
The exploitation of this vulnerability poses significant risks to the security of cPanel host systems, potentially granting attackers control over configurations, databases, and websites managed by the system. With approximately 1.5 million cPanel instances exposed online, the impact could be widespread, affecting numerous businesses and individuals relying on these services for web hosting. The vulnerability highlights the critical need for robust security measures and timely updates in software systems to prevent unauthorized access and data breaches.
What's Next?
cPanel has advised all customers to restart the 'cpsrvd' service after installing the latest software updates. If immediate patching is not possible, customers are urged to block external access to specific ports or stop certain cPanel services. A detection script has been provided to check for potential compromises, and if indicators are found, it is recommended to purge sessions, reset credentials, and audit logs. The situation underscores the importance of continuous monitoring and proactive security measures to safeguard against future vulnerabilities.
