Back
Technology

Critical Authentication Bypass Vulnerability Reported in cPanel and WHM

Generated on: Last updated: 2 sources
View source

Critical Zero-Day in cPanel and WHM Poses Severe Threat to Web Servers

A critical security vulnerability has been disclosed in cPanel and WebHost Manager (WHM) , two widely used Linux-based control panel applications for managing web servers, email, and databases. The flaw, designated as CVE-2026-41940 with a CVSS score of 9.8, allows attackers to bypass authentication and gain administrative control over affected servers.

The vulnerability carries a CVSS score of 9.8, placing it among the most severe security flaws in recent memory.

Vulnerability Details

The vulnerability is described as a carriage return line feed (CRLF) injection. According to security researchers, an attacker can bypass authentication by first completing a failed login, then sending a crafted request to escalate privileges to root level, circumventing normal encryption checks. This potentially grants unrestricted access to the administration panel and the data managed by the software.

The flaw affects all supported versions of cPanel and WHM prior to the release of security patches. It also impacts WP Squared, a WordPress hosting platform owned by cPanel.

Timeline of Events

Reports indicate that exploitation attempts were detected as early as February 23. According to KnownHost CEO Daniel Pearson, approximately 30 out of thousands of servers operated by the company showed signs of unauthorized access, though no active compromise was confirmed.

Early signals suggest the vulnerability may have been exploited as a zero-day for at least 30 days.

Canada's national cybersecurity agency has stated that exploitation is highly probable and has urged immediate patching.

Industry Response

cPanel has released emergency security patches for the affected software. The company has also provided a detection script to help users identify signs of exploitation.

Two major web hosting providers, Namecheap and HostGator, temporarily blocked access to customer panels to prevent exploitation while applying the necessary patches.

Security firm watchTowr has published a detection artifact generator and a technical analysis of the exploit chain.

Recommended Actions

Users and hosting providers running cPanel and WHM are advised to:

  • Apply the security patches immediately
  • Run the detection script provided by cPanel to assess potential compromise
  • Monitor server logs for any signs of unauthorized access dating back to mid-February

Immediate patching is critical, as exploitation attempts have already been detected in the wild.