Full Report
Emergency patches out now for those managing the millions of domains assumed to be affected Emergency patches are available for a critical vulnerability in cPanel and WHM that allows attackers to bypass authentication and gain root access to servers managed using it.…
Analysis Summary
# Vulnerability: cPanel and WHM Authentication Bypass to Remote Code Execution
## CVE Details
- **CVE ID:** CVE-2026-41940
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-93 (Improper Neutralization of CRLF Sequences / CRLF Injection)
## Affected Systems
- **Products:** cPanel, WebHost Manager (WHM), and WP Squared.
- **Versions:** Every supported version prior to the emergency updates released on April 28, 2026.
- **Configurations:** Systems exposed to the network/internet; the vulnerability affects the login interface.
## Vulnerability Description
The flaw is a Carriage Return Line Feed (CRLF) injection vulnerability. It occurs because the application fails to properly sanitize user-supplied input in specific headers. During a failed login attempt, an attacker can generate a session cookie. By manipulating this cookie—specifically by removing a hex value that triggers encryption—the attacker can inject plaintext commands into the header. This allows the attacker to instruct the application to elevate privileges to "root," effectively bypassing standard authentication mechanisms and gaining full administrative control over the server.
## Exploitation
- **Status:** **Exploited in the wild.** Reports suggest it may have been utilized as a zero-day for at least 30 days prior to disclosure.
- **Complexity:** Low (Involves crafting specific headers and manipulating session cookies).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** Total (Full access to all hosted data, databases, and emails).
- **Integrity:** Total (Ability to modify any file or configuration on the server).
- **Availability:** Total (Root access allows for complete system shutdown or data destruction).
## Remediation
### Patches
Update to the following versions (or later) immediately:
- **cPanel & WHM:** Refer to the official security update notice (Version-specific patches vary by tier).
- **WP Squared:** Version 1.3.617 or later.
### Workarounds
No effective configuration-based workarounds are currently known that do not involve disabling the control panel entirely. **Immediate patching is the only recommended mitigation.**
## Detection
- **Indicators of Compromise (IoC):** Look for unusual login attempts followed by immediate escalated root access in cPanel/WHM access logs.
- **Detection Tools:**
- Use the official cPanel detection script to scan for signs of compromise.
- watchTowr detection artifact generator: `https[:]//github[.]com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py`
## References
- **Vendor Advisory:** `https[:]//support[.]cpanel[.]net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026`
- **Technical Analysis:** `https[:]//labs[.]watchtowr[.]com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/`
- **WP Squared Changelog:** `https[:]//docs[.]wpsquared[.]com/changelogs/versions/changelog/#13617`