A critical zero-day vulnerability, tracked as CVE-2026-41940, is currently being actively exploited across the web hosting industry.
This CVSS 9.8 flaw allows unauthenticated remote attackers to bypass cPanel and WHM login mechanisms, granting them full administrative control over servers.
The vulnerability stems from a Carriage Return Line Feed (CRLF) injection flaw within the application’s session loading and saving process.
Attackers exploit this by injecting a malicious security token into a pre-authenticated session, completely bypassing standard password validation checks. Because this exploit requires no user interaction, threat actors can easily automate attacks against internet-facing management panels.
PoC and Active Exploitation
Security firm watchTowr Labs recently accelerated attacks by publishing a Proof-of-Concept (PoC) exploit script that easily achieves Remote Code Execution.
The PoC mints a pre-authentication session and manipulates the do_token_denied function to extract root access tokens. Due to widespread automated exploitation, many global hosting providers have been forced to block control panel ports to protect customer data.
When attackers successfully exploit this vulnerability, they can manipulate server configurations, databases, and hosted email accounts. This level of access allows them to deploy ransomware, exfiltrate sensitive customer data, or use the compromised infrastructure for downstream attacks.
The severity of the flaw means that even servers running outdated or unsupported cPanel versions remain highly vulnerable to complete system takeover.
Patched Versions
The vulnerability impacts all currently supported builds of cPanel, WHM, and WP Squared. Administrators must prioritize updating their infrastructure to the following secure releases:
| Software Branch | Vulnerable Status | Patched Release |
|---|---|---|
| cPanel & WHM 110 | Vulnerable | 11.110.0.97 |
| cPanel & WHM 118 | Vulnerable | 11.118.0.63 |
| cPanel & WHM 126 | Vulnerable | 11.126.0.54 |
| cPanel & WHM 132 | Vulnerable | 11.132.0.29 |
| cPanel & WHM 134 | Vulnerable | 11.134.0.20 |
| WP Squared 136 | Vulnerable | 136.1.7 |
Threat hunters should investigate their session logs for signs of multi-line password values or unexpected token_denied entries.
Furthermore, any pre-authentication session containing a successful_external_auth_with_timestamp attribute is a critical indicator of unauthorized session elevation.
Organizations that discover these artifacts must immediately purge all active sessions, force root password resets, and audit their systems for potential persistence mechanisms, such as backdoors.
Administrators should immediately run the cPanel update script and restart the cpsrvd service to apply the permanent fix. If patching is delayed, organizations must configure firewalls to block inbound traffic on TCP ports 2083, 2087, 2095, and 2096 to prevent unauthorized access.
Security teams can also utilize cPanel’s official detection script to scan the /var/cpanel/sessions directory for compromise indicators, such as attacker-injected cp_security_token values.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
