Exploited cPanel Flaw Enables Root Server Takeover

A critical authentication-bypass zero-day, CVE-2026-41940, impacts all supported versions of cPanel & WHM and has been exploited in the wild against hosting control planes. Researchers at watchTowr Labs and reports from KnownHost confirm active exploitation that lets attackers bypass session loading/saving to gain administrative access. cPanel released emergency patches across multiple release tracks (examples: 11.110.0.97, 11.118.0.63, 11.126.0.54, etc.) and urges immediate upgrades. The issue centers on changes to session handling code (Session.pm, Load.pm, Encoder.pm), where a modified saveSession flow introduced a vulnerability in session encoding/filtering. This matters because cPanel/WHM manages tens of millions of domains—compromise of the management plane can enable mass website takeovers, credential theft, and rapid lateral movement across shared hosting infrastructure.

A critical authentication bypass vulnerability (CVE-2026-41940) affecting cPanel/WHM has been reported and widely shared on Hacker News, sparking immediate concern among web administrators. The flaw allows attackers to bypass login controls in cPanel/WHM, the widely used web hosting control panel, potentially enabling unauthorized access to hosted sites and servers. Key players include cPanel (the vendor) and hosting providers and millions of websites relying on the control panel. This matters because successful exploitation could lead to site takeovers, data breaches, and mass compromise across shared hosting environments, amplifying risk for web infrastructure. Administrators should monitor cPanel advisories, apply vendor patches or mitigations, and audit access logs and credentials promptly.

A critical authentication-bypass bug (CVE-2026-41940) in cPanel & WHM’s session loading/saving code affects all supported releases and has seen in-the-wild exploitation, according to researchers and hosting provider KnownHost. watchTowr Labs analyzed patched and unpatched builds, pinpointing changes in Session.pm, Load.pm, and Encoder.pm that altered how session data—and specifically session passwords—are encoded and filtered, leading to a bypass of normal authentication checks. cPanel has issued patches across multiple release tracks (110 through 136) and urges immediate upgrades; watchTowr also published active defense mitigation rules to help clients auto-mitigate at the network edge. This matters because cPanel/WHM is the management plane for millions of domains, so exploitation grants high-impact control over web hosting infrastructure.

A critical authentication-bypass vulnerability (CVE-2026-41940) in cPanel and WHM is being actively exploited, allowing attackers to bypass the login screen and gain full administrative control of affected web servers. cPanel urged customers to apply patches immediately; major hosts including Namecheap, HostGator and others have already blocked access or patched systems. Canada’s national cybersecurity agency warned exploitation is “highly probable,” especially on shared hosting, and some providers report attempted abuses dating back to February. KnownHost observed signs of attempted access on about 30 servers but no confirmed widespread compromises. The flaw matters because cPanel/WHM have deep server privileges and are widely used by web hosts, so unpatched systems could expose large numbers of websites and customer data.

Researchers and incident reports show active exploitation of a vulnerability in cPanel & WHM (CVE-2026-41940), with attackers chaining it in the wild against shared hosting environments. cPanel — a ubiquitous web hosting control panel used by hosting providers and resellers — has been targeted, raising concerns because exploited consoles can give attackers access to multiple customer sites and server resources. The development matters because compromised control panels enable large-scale website defacement, credential theft, malware distribution, and cryptomining across multi-tenant hosts. Hosting operators should apply vendor patches or mitigations immediately, audit logs, and rotate credentials; customers on shared hosting should verify provider responses and consider isolation or migration.

A critical authentication-bypass bug (CVE-2026-41940) in cPanel and WHM is being actively exploited to bypass the login screen and gain full administrative control of affected web servers. cPanel urged immediate patching across all supported versions; major hosts including Namecheap, HostGator and others have blocked or patched cPanel access to prevent compromises. Canada’s national cybersecurity agency warned exploitation is “highly probable,” especially on shared hosting, and some hosts report attempted abuses dating back to February. KnownHost observed attempted accesses on roughly 30 servers and mitigated risks while deploying fixes. The vulnerability matters because cPanel/WHM have deep server privileges and unpatched instances could allow widespread website and data takeover across tens of millions of domains.

Hackers are actively exploiting a bug in cPanel, used by millions of websites

A critical authentication-bypass vulnerability in cPanel/WHM (CVE-2026-41940, CVSS 9.8) can grant attackers root access to servers and likely was exploited as a zero-day for about 30 days. The flaw, a CRLF/input-sanitization bug that affects all supported pre-patch versions and cPanel-owned WP Squared hosting, lets an attacker craft a session cookie after a failed login, send a specially crafted header to change privileges to root, and then authenticate as root. Given cPanel/WHM’s role in managing tens of millions of domains, the impact is severe. cPanel has released emergency patches and detection scripts; defenders are urged to patch immediately and run detection or incident-response tooling to check for compromise.