cPanel Was Being Exploited for Two Months Before a Patch Existed (CVE-2026-41940)

CVE-2026-41940 is an authentication bypass in cPanel and WHM that attackers have been exploiting since at least February 23, 2026. A patch did not exist until April 28. That is a 64-day window during which roughly 1.5 million cPanel servers globally were vulnerable to unauthenticated administrative access, and at least 44,000 of them were confirmed compromised. Some hosted "Sorry" ransomware deployments. Others were quietly backdoored. The hosting industry had a bad spring.

The Vulnerability

The bug is an authentication bypass in the WHM API endpoint handling. A crafted unauthenticated HTTP request to the WHM interface can bypass the login check entirely, granting the attacker full administrative access to the server. With WHM admin access, an attacker can create new cPanel accounts, modify DNS records, install arbitrary software, access all hosted email and files, and read SSL certificate private keys for any domain on the server.

Rapid7 published a technical analysis on April 29, the day after the patch dropped. Their write-up confirmed the bypass mechanism involves a malformed session token that the authentication handler accepts as valid without verifying against the actual session store. The specific code path was introduced in a late-2024 refactor intended to improve performance on high-traffic hosting platforms.

cPanel operates on approximately 1.5 million servers worldwide, the majority of which are shared hosting platforms. The typical shared hosting server hosts hundreds of distinct customer accounts. A single compromised cPanel server is not just one victim: it is hundreds of websites, email accounts, and databases belonging to separate organizations, many of them small businesses with no independent security monitoring.

How Attackers Used It

The Hosting Provider Problem

The cPanel ecosystem creates a structural security problem that this incident illustrates clearly. A hosting provider running cPanel is, by design, the single point of failure for every customer on that server. When the hosting platform itself is compromised, the customer has no independent means of detection. The customer's website may continue functioning normally while a web shell sits in their file system exfiltrating email or serving malware to their visitors.

The "Sorry" ransomware deployments hit smaller hosting providers hard. Several notified customers only after the ransom demand surfaced, meaning some customers learned about the compromise from a ransom note, not from their host. Hosting providers bear responsibility for patching the platforms they operate, but many run update processes on 30 to 60 day cycles, which is catastrophically inadequate for a CVSS 9.8 actively exploited vulnerability.

If you are a customer on shared hosting and your provider has not confirmed they patched before April 28, assume the server was compromised during the window. Change all passwords for services hosted there. Revoke and reissue any SSL certificates whose private keys were stored on the server. Review access logs for anomalous file changes or outbound connections.

Remediation Steps

• Update cPanel/WHM to version 118.0.16 or later via the /scripts/upcp command or through the WHM update interface
• Restrict WHM port access (2086/2087) to known management IPs via firewall; WHM should never be publicly accessible if avoidable
• Audit WHM and cPanel account lists for unauthorized accounts created during the exposure window
• Review file modification timestamps across all hosted accounts for changes between February 23 and April 28
• Check SSH authorized_keys files and /root/.ssh/authorized_keys for unexpected entries
• Revoke and reissue SSL certificates for all domains hosted on potentially compromised servers
• Review server-level cron jobs for added persistence mechanisms