One of the most severe hosting vulnerabilities in years is actively being exploited at scale. CVE-2026-41940 is a complete authentication bypass in cPanel & WHM — the control panel software running on tens of millions of shared and VPS hosting accounts worldwide. The vulnerability stems from CRLF injection in the login flow, which allows an attacker to bypass authentication entirely and gain full cPanel or WHM administrator access without providing any credentials.
Exploitation began at least two months before the patch was released on April 28, 2026. As of the latest reporting, 44,000+ IPs have been confirmed compromised, and 7,135 hosts show ransomware artifacts. Nation-state threat actors have been confirmed targeting government and military hosting environments. If your cPanel server was not patched before April 28, 2026, you must assume it was compromised and conduct incident response — not just apply the patch and move on.
CVE Reference
- CVE: CVE-2026-41940
- CVSS: CRITICAL
- Affected: All cPanel & WHM versions prior to the April 28, 2026 security release
- Patched: cPanel & WHM April 28, 2026 security update
- Active Exploitation: YES — exploitation confirmed 2+ months before patch; nation-state actors involved; 44,000+ compromised IPs; 7,135 hosts with ransomware artifacts
- Scope: 70M+ domains at risk across cPanel-managed hosting
How the Attack Works: CRLF Injection in the Login Flow
CRLF injection attacks exploit the fact that HTTP headers are delimited by carriage return + line feed character sequences (\r\n). When user-supplied input is included in an HTTP response or server-side header construction without proper sanitization, an attacker can inject \r\n sequences to add new HTTP headers — or in this case, manipulate the cPanel session or authentication token handling.
In CVE-2026-41940, the cPanel & WHM login flow constructs an internal authentication token or session identifier that incorporates user-supplied data without stripping CRLF sequences. By supplying a crafted login payload containing \r\n characters, an attacker can:
- Inject a fake "authenticated" session marker into the server-side token structure
- Bypass the credential validation step that would otherwise reject the login
- Receive a valid cPanel or WHM session as an authenticated administrator
The attack requires no prior credentials and leaves relatively minimal traces in standard cPanel access logs, which partly explains how exploitation continued undetected for two months.
What Attackers Did With Access
Based on forensic evidence from compromised hosts, attackers used authenticated cPanel/WHM access to:
- Deploy web shells in publicly accessible directories (
public_html/, WordPressuploads/directories) for persistent access - Harvest FTP, database, and email credentials from cPanel's stored configuration files
- Exfiltrate databases via cPanel's phpMyAdmin access or direct MySQL connection using stolen credentials
- Install ransomware — 7,135 hosts show ransomware artifacts, indicating file encryption and ransom note deployment
- Create rogue cPanel accounts and email forwarders for persistent access and email credential abuse
- Modify DNS records to redirect traffic to attacker-controlled infrastructure
Nation-state targeting of government and military environments added an espionage dimension — on compromised government hosting, the pattern shifted toward data exfiltration over ransomware deployment.
Step 1: Verify Your cPanel Version Is Patched
Log into WHM and check the current version in the top-right corner, or run from the server:
cat /usr/local/cpanel/versionThe patched release was issued April 28, 2026. Any version number indicating it was released before that date is vulnerable. To update cPanel/WHM:
/scripts/upcp --forceThis forces an immediate update to the latest stable release. Allow 10–30 minutes for the update to complete.
Step 2: If You Were Unpatched Before April 28, 2026 — Treat It as a Breach
Applying the patch does not undo any access that occurred before it. If your server ran a vulnerable cPanel version at any point between the exploitation start (approximately late February 2026) and April 28, 2026, you need full incident response:
Immediate Actions
- Take the server offline or isolate it from the internet if ransomware or active attack behavior is suspected
- Preserve forensic evidence before making changes — copy access logs, cPanel audit logs, and the filesystem state to a separate storage location
- Engage your hosting provider's abuse/security team — many providers have IR resources for cPanel compromises
- Contact a professional incident response firm if government, financial, or healthcare data may have been exfiltrated
Account Audit
# List all cPanel accounts:
/scripts/listnewfeatures
whmapi1 listaccts | grep user
# Check for recently created accounts:
ls -lt /var/cpanel/users/ | head -20
# Review WHM access log for suspicious activity:
cat /usr/local/cpanel/logs/access_log | grep "2026-02\|2026-03\|2026-04" | grep -i "whostmgr\|cpanel" | grep -v "200\|304"Web Shell Detection
# Look for PHP files in upload directories across all accounts:
find /home/*/public_html/wp-content/uploads -name "*.php" 2>/dev/null
find /home/*/public_html -name "*.php" -newer /tmp/reference_date 2>/dev/null
# Scan for common web shell signatures:
grep -r "eval(base64_decode" /home/*/public_html/
grep -r "system(\$_" /home/*/public_html/
grep -r "passthru" /home/*/public_html/Rotate All Credentials
Even if no breach evidence is found, rotate everything as a precaution:
- All cPanel account passwords
- WHM root password
- All database passwords (update
wp-config.phpand application configs after) - All FTP account passwords
- All email account passwords
- Any API keys stored in cPanel's configuration
Step 3: Harden cPanel Against Future Attacks
- Restrict cPanel/WHM port access by IP: In WHM → Host Access Control, whitelist only your known management IPs for port 2082 (cPanel), 2083 (cPanel SSL), 2086 (WHM), and 2087 (WHM SSL)
- Enable cPanel's two-factor authentication: WHM → Security Center → Two-Factor Authentication
- Enable cPHulk brute force protection: WHM → Security Center → cPHulk Brute Force Protection
- Keep cPanel on automatic updates: WHM → Update Preferences → set to automatic for STABLE releases
- Monitor cPanel audit logs regularly:
/usr/local/cpanel/logs/access_logand/var/log/cpanel-install.log
For Shared Hosting Customers (Not Server Owners)
If you're on shared hosting and don't control the server — contact your hosting provider and ask:
- Whether their cPanel servers are patched to the April 28, 2026 release
- Whether they conducted any investigation for compromise during the pre-patch window
- Whether any of your account's credentials, files, or database contents were exposed
If your host is unresponsive or cannot confirm patching, seriously consider migrating to a host that is more responsive to critical security advisories.
