Full Report
Emergency patches out now for those managing the millions of domains assumed to be affected
Analysis Summary
# Vulnerability: cPanel & WHM Authentication Bypass to Root RCE
## CVE Details
- **CVE ID:** CVE-2026-41940
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-93 (Improper Neutralization of CRLF Sequences)
## Affected Systems
- **Products:** cPanel, WebHost Manager (WHM), and WP Squared.
- **Versions:** Every supported version prior to the emergency updates released on April 28, 2026.
- **Configurations:** Systems where cPanel/WHM is exposed to the network (Standard installation).
## Vulnerability Description
The flaw is a Carriage Return Line Feed (CRLF) injection vulnerability. It exists because the application fails to properly sanitize user-supplied input during the authentication process.
An attacker can bypass authentication by:
1. Initiating a failed login attempt to generate a session cookie.
2. Sending a request with a specially crafted header containing CRLF instructions.
3. Manipulating hex values to prevent the system from encrypting attacker-supplied values.
4. Injecting plaintext commands (e.g., instructions to change privileges to root) that the system executes as trusted code.
## Exploitation
- **Status:** Probable zero-day exploitation; reports suggest it has been active in the wild for at least 30 days prior to disclosure. PoC workflows have been published by security researchers (watchTowr).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Total (Full access to websites, databases, files, and emails)
- **Integrity:** Total (Full root access to the server)
- **Availability:** Total (Attacker can shut down services or delete data)
## Remediation
### Patches
Update to the following versions (or later) immediately:
- **cPanel & WHM:** Refer to the official security update dated 04-28-2026.
- **WP Squared:** Version 1.36.17 or higher.
### Workarounds
No effective workarounds are currently provided; immediate patching is the only recommended course of action due to the nature of the authentication bypass.
## Detection
- **Detection Script:** Run the official cPanel detection script provided in the emergency advisory to check for signs of compromise.
- **Artifact Generation:** A detection artifact generator is available via watchTowr Labs to assist in identifying exploitation attempts in logs.
- **Indicators of Compromise:** Look for unusual failed login attempts followed by immediate root-level sessions or unauthorized modifications to system headers.
## References
- cPanel Official Advisory: hxxps[://]support[.]cpanel[.]net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026
- WP Squared Changelog: hxxps[://]docs[.]wpsquared[.]com/changelogs/versions/changelog/#13617
- watchTowr Labs Technical Analysis: hxxps[://]labs[.]watchtowr[.]com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/
- watchTowr Detection Tool: hxxps[://]github[.]com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE[.]py