Critical Vulnerability Alert: CVE-2026-41940 in cPanel, WHM, and WP Squared

CVE-2025-61882 in Oracle E-Business Suite blog
emma-stevens-bio-portrait
Written by Emma Stevens
Threat Intelligence Researcher

A critical vulnerability CVE-2026-41940 has been identified in cPanel, WHM, and WP Squared, affecting cPanel & WHM versions after 11.40, as well as WP Squared. These web hosting control panels are commonly used to manage websites, email, databases, and server configurations, making unauthorized access a serious security concern.

CVE-2026-41940 carries a CVSS score of 9.8 (Critical) and a Bitsight Dynamic Vulnerability Exploit (DVE) score of 9.3, signaling both severe technical risk and elevated real-world threat activity. The vulnerability can be exploited remotely over the network, requires low attack complexity, and does not require privileges or user interaction.

According to Bitsight Threat Intelligence

Bitsight Threat Intelligence indicates active exploitation of CVE-2026-41940 in the wild. A public proof-of-concept (PoC) is now available, which may increase the likelihood of broader exploitation. There is currently no known exploit kit or Metasploit module associated with this vulnerability, and it is not trending on GitHub. There is no confirmed association with APT activity based on available intelligence.

CVE-2026-41940 overview

This vulnerability allows unauthenticated remote attackers to bypass authentication mechanisms in cPanel, WHM, and WP Squared. Successful exploitation may allow unauthorized access to the control panel, bypass MFA protections, and potentially grant root-level control over affected servers and hosted domains.

Exploitation activity has been observed prior to patch availability, with reports indicating execution attempts as early as February 23, 2026\. Internet-facing environments are especially important to review, as the vulnerability can be exploited remotely without valid credentials.

CVE-2026-41940
Authentication Bypass in cPanel, WHM, and WP Squared
🔴 Critical
CVSS Score
9.8
DVE Score
9.3
Exploit Status
In the Wild
Active exploitation
Attack Vector Network
Privileges Required None
Attack Complexity Low
User Interaction None
⚠️ Urgent: This vulnerability is being actively exploited in the wild, including prior to patch release. Public PoC material is available, which may accelerate widespread exploitation. Immediate action required.

Vulnerability Details

Vulnerability Type Authentication Bypass
Root Cause CRLF injection in session handling (cpsrvd daemon)
Affected Products cPanel, WHM, WP Squared
Affected Versions All versions after 11.40

Technical Root Cause

CRLF injection in the session handling logic of the cpsrvd daemon, allowing specially crafted HTTP Authorization headers to manipulate server-side session files prior to authentication.

Attack Scenario

  • Remote attacker sends crafted HTTP request with malicious Authorization header
  • CRLF injection manipulates session file before authentication check
  • Session file modified to bypass authentication verification
  • Attacker gains unauthorized access as administrative user
  • Full control over cPanel environment and hosted domains

Potential Impacts

  • Authentication Bypass: Complete circumvention of MFA and credential requirements
  • Unauthorized Administrative Access: Attacker operates with full admin privileges
  • Root-Level Control: Potential for system-level compromise
  • Data Exposure: Access to all hosted customer data and sensitive configuration
  • Domain Control: Modification of DNS records, email routing, and hosted content
  • Operational Disruption: Widespread impact during investigation and recovery

Why This Matters

This vulnerability is particularly dangerous because:

  • No credentials or MFA bypass required — purely network-based
  • Active exploitation observed in the wild
  • Public PoC material accelerates adoption by threat actors
  • cPanel environments typically manage multiple services and sensitive data
  • Widespread internet exposure increases attack surface
  • Downstream impact on all hosted domains and customers

Patch Versions

Product Patched Version
cPanel/WHM 11.110.0 → 11.110.0.97
cPanel/WHM 11.118.0 → 11.118.0.63
cPanel/WHM 11.126.0 → 11.126.0.54
cPanel/WHM 11.132.0 → 11.132.0.29
cPanel/WHM 11.134.0 → 11.134.0.20
cPanel/WHM 11.136.0 → 11.136.0.5
WP Squared 11.136.1 → 11.136.1.7

Remediation Timeline

Step 1: Immediate Patching
Update all affected systems to patched versions listed above. This is the primary remediation.
Step 2: Service Restart
After patching, restart the cpsrvd service to ensure patches are fully applied and active.
Step 3: Temporary Mitigation (if needed)
If patching cannot be done immediately, block external access to ports 2083, 2087, 2095, and 2096 or stop cpsrvd/cpdavd services temporarily.
Step 4: Security Monitoring
Implement enhanced monitoring for unusual login attempts, unauthorized access patterns, and configuration changes.
Step 5: Log Analysis & Threat Hunting
Review historical logs for suspicious activity from unusual IPs, times, and unauthorized access patterns.
Step 6: Incident Response
If compromise suspected: isolate systems, purge sessions, reset credentials, audit logs, and restore from known-good backups if necessary.

Recommended Actions

🔴 Immediate (Within 24 Hours)
  • Patch all affected cPanel/WHM/WP Squared systems
  • Restart cpsrvd service to activate patches
  • Verify patch installation completed successfully
🟠 Near-Term (Within 48-72 Hours)
  • Enable enhanced security monitoring and alerting
  • Reset all administrative credentials as precaution
  • Purge all active sessions to force re-authentication
  • Review access logs for indicators of compromise
🟡 Follow-Up (Within 1 Week)
  • Conduct full forensic analysis of logs spanning pre-patch period
  • Hunt for persistence mechanisms or backdoors
  • Verify integrity of hosted domains and configurations
  • Validate backup integrity and test restoration procedures

Threat landscape & context

CVE-2026-41940 is notable due to the combination of critical severity and confirmed exploitation in the wild, including activity observed prior to the release of patches. The availability of technical details and PoC material are now publicly available and may further increase exploitation attempts.

Given the widespread deployment of cPanel and related technologies, organizations should prioritize visibility into exposed systems and ensure timely remediation.

How Bitsight Threat Intelligence can help

  • External Risk Identification: Identify exposed systems that may be affected by CVE-2026-41940
  • Threat Monitoring: Track exploit activity and threat trends
  • Attack Surface Visibility: Help organizations understand externally exposed assets
  • Third-Party Risk Insights: Assess vendor and supply chain exposure
  • Actionable Intelligence: Translate technical risk into clear business impact

CVE-2026-41940 is a critical authentication bypass vulnerability with confirmed exploitation in the wild. Organizations using affected cPanel, WHM, and WP Squared versions should prioritize patching, strengthen access controls, and monitor for suspicious activity.

To learn more about CVE-2026-41940 or speak with a Bitsight TI expert, contact us today