CVE-2026-41940: Active Zero-Day Exploitation in cPanel and WHM

Administrators of web hosting environments are facing a significant threat following the disclosure of a critical CVE in cPanel, WHM, and WP Squared. According to BleepingComputer, the flaw identified as CVE-2026-41940 is an authentication bypass vulnerability that allows remote attackers to gain administrative control over affected servers without valid credentials. This Zero-Day was reportedly leveraged in the wild as early as late February, making immediate remediation a priority for SOC teams and system administrators.

Technical Analysis of CVE-2026-41940

The vulnerability stems from a failure in the validation logic within the cPanel and WHM authentication handlers. Under specific conditions, an attacker can craft a malicious request that misleads the system into granting an authenticated session. Because this bypass targets the core management interface, it effectively provides a path for RCE or full system compromise, depending on the post-exploitation actions taken by the threat actor.

The CVSS score for this vulnerability is 9.8, reflecting its critical nature and ease of exploitation. The availability of a public Proof-of-Concept (PoC) further exacerbates the risk, as script kiddies and organized APT groups can now integrate this bypass into automated scanning tools. This enables mass exploitation attempts against any Internet-facing server that has not yet applied the necessary security updates.

Scope of Impact and Affected Versions

The vulnerability affects multiple versions of the hosting management software. Specifically, versions of cPanel and WHM earlier than 11.109.9999.176 are vulnerable. WP Squared, a specialized WordPress hosting management platform built on the same architecture, is also impacted. Organizations relying on these tools to manage thousands of websites are particularly at risk, as a single compromise could lead to a massive Data Breach or a Supply Chain Attack against hosted clients.

How to Detect CVE-2026-41940 Exploit Attempts

Identifying exploitation requires a close examination of access logs and authentication audit trails. Defensive teams should monitor for unusual administrative logins originating from unfamiliar IP addresses or sessions created without corresponding successful login events in the security logs. Any IoC related to this vulnerability typically involves requests to the /cpsess[ID]/ or /login/ endpoints that bypass standard multi-factor authentication (MFA) or password checks.

Furthermore, searching for unauthorized Privilege Escalation or the creation of new administrative accounts is a vital step in post-incident analysis. If an attacker successfully bypasses authentication, their next move often involves establishing persistence through Lateral Movement or the deployment of a C2 beacon to maintain control even after the initial session expires.

Mitigation and Patching Guidance

The most effective defense is the immediate application of the cPanel and WHM authentication bypass patch released by the vendor. The security updates are available in the following versions:

• 110.0.41
• 118.0.21
• 120.0.18
• 122.0.7
• 124.0.8

For organizations unable to patch immediately, implementing strict IP whitelisting for access to ports 2082, 2083, 2086, and 2087 is recommended. While this does not resolve the underlying flaw, it significantly reduces the attack surface by preventing unauthorized external IP addresses from reaching the management interface. Additionally, organizations should ensure that EDR solutions are active on host servers to detect anomalous process executions that may follow a successful bypass.

In the context of the MITRE ATT&CK framework, this threat maps to “Exploit Public-Facing Application” (T1190) and “Valid Accounts” (T1078). Given the active exploitation, SIEM alerts should be tuned to flag any modifications to system-level configuration files or sensitive directory access following the detection of suspicious web traffic.