Full Report
The agency added the flaw to the KEV list days after hosting providers confirmed active, ongoing attacks. The post cPanel’s authentication bypass bug is being exploited in the wild, CISA warns appeared first on CyberScoop.
Analysis Summary
# Vulnerability: cPanel/WHM Authentication Bypass
## CVE Details
- **CVE ID:** CVE-2026-41940
- **CVSS Score:** 9.8 (Critical)
- **CWE:** Improper handling of user input (Injection)
## Affected Systems
- **Products:** cPanel & WebHost Manager (WHM), WP Squared
- **Versions:** All supported cPanel/WHM versions released after v11.40 (specifically identified in branches 11.110.0 through 11.136.0); WP Squared versions prior to 11.136.1.
- **Configurations:** Systems exposed to the internet on standard management ports (2083, 2087). Approximately 1.5 million instances are estimated to be visible online.
## Vulnerability Description
The flaw is a session-based authentication bypass caused by improper input validation in the login process. cPanel writes user-provided data into a server-side session file *before* verifying credentials.
An attacker can inject hidden line breaks (newlines) into the password field of a login request. Because cPanel fails to strip these characters, arbitrary data can be written into the session file. A secondary malformed request then "promotes" this injected data into the active session cache. The system subsequently interprets the session as already authenticated, skipping password verification and granting full access to the account.
## Exploitation
- **Status:** Exploited in the wild (CISA KEV listed).
- **Complexity:** Low (Technical details and PoC-like "Artifact Generators" are public).
- **Attack Vector:** Network
## Impact
- **Confidentiality:** Total (Full access to hosting management and user data).
- **Integrity:** Total (Ability to modify server configurations and web content).
- **Availability:** Total (Potential for account deletion or service disruption).
## Remediation
### Patches
Update to the following versions or higher:
- **cPanel/WHM:** 11.110.0.x through 11.136.0.x (ensure the most recent "Security Update" patch from April 28, 2026, is applied).
- **WP Squared:** Version 11.136.1.
### Workarounds
- **Port Blocking:** Temporarily block external access to ports 2083 (cPanel) and 2087 (WHM) via firewall until patches are applied.
- **IP White-listing:** Restrict access to management interfaces to known administrative IP addresses.
## Detection
- **Detection Script:** cPanel has released an official script to scan session files for indicators of compromise (IOCs).
- **Indicators of Compromise:**
- Sessions containing injected authentication timestamps.
- Pre-authentication session files containing authenticated attributes.
- Password fields in logs or session files containing embedded newlines/line breaks.
- **WatchTowr Artifact Generator:** A third-party tool is available to verify if an instance remains vulnerable.
## References
- **Vendor Advisory:** hxxps://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026
- **CISA KEV Catalog:** hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog
- **Rapid7 Analysis:** hxxps://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass/
- **watchTowr Technical Write-up:** hxxps://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/