Pentest-Tools.com has released a free, no-login scanner for CVE-2026-41940, the critical authentication bypass affecting cPanel & WHM and WP Squared that has been actively exploited in the wild since at least February 2026.
The vulnerability, rated CVSS 9.8 Critical and added to CISA’s Known Exploited Vulnerabilities catalog, allows an unauthenticated attacker to bypass cPanel’s login process entirely by exploiting a CRLF injection flaw in cpsrvd, the cPanel service daemon. By manipulating the whostmgrsession cookie, an attacker can inject authentication state flags into a session file before it is validated, granting full access without credentials, user interaction, or special privileges.
The scale of exposure is significant. Approximately 1.5 million cPanel and WHM interfaces are directly reachable from the internet, according to Shodan data from April 2026. Because a single cPanel server typically hosts dozens to hundreds of separate customer accounts, a successful exploit affects every account on that server, not just the primary account holder. Both the cPanel user interface (ports 2082/2083) and the WHM administrator interface (ports 2086/2087) are impacted, along with XML-API and UAPI endpoints that rely on session authentication.
What makes this vulnerability particularly notable is how long it went undetected. KnownHost CEO Daniel Pearson has confirmed that his company observed exploitation attempts as early as February 23, 2026, 64 days before any public advisory, patch, or CVE existed. Active ransomware and botnet campaigns have since been documented across compromised cPanel infrastructure.
A patch was released by cPanel & WHM on April 28, 2026, and Cloudflare deployed an emergency WAF rule on April 30 as a partial network-edge mitigation for infrastructure behind Cloudflare. WP Squared has also released an advisory. watchTowr Labs published a detailed technical analysis and proof-of-concept.
The Pentest-Tools.com scanner goes beyond version banner checking: it sends a crafted CRLF payload to the cPanel login endpoint and assesses exploitability based on the server’s actual response. The team notes that version checks alone are not sufficient to confirm whether a given instance is genuinely at risk.
“Patch first,” said the Pentest-Tools.com security team. “Check the version table and update to the first patched build for your branch. If you’re behind Cloudflare, verify the Managed Ruleset is enabled. Then lock down ports 2082, 2083, 2086, and 2087 to trusted IP ranges and watch your access logs for sessions that authenticate suspiciously fast. Version checks alone won’t tell you if you’re actually exploitable.”
For organisations that cannot patch immediately, the recommended interim steps are to restrict cPanel and WHM port access to trusted IP ranges, verify Cloudflare Managed Ruleset coverage if applicable, and monitor access logs for sessions with unusually short time-to-authenticate.
The free scanner is live at: pentest-tools.com/network-vulnerability-scanning/cve-2026-41940-scanner-cpanel-authentication-bypass
