CVE-2026-41940: The cPanel Zero-Day Exploited for Two Months Before Anyone Could Patch It

Attackers were quietly compromising cPanel servers as early as February 23, 2026, more than two months before the vendor knew the bug existed. By the time WebPros published its emergency advisory on April 28, ransomware crews, a Mirai variant, and at least one government-aligned actor were already racing through the same hole. The CVE-2026-41940 cPanel vulnerability is now one of the worst hosting-industry incidents in years, and the timeline is the part that should worry defenders most.

A two-month head start for attackers

Managed hosting provider KnownHost confirmed in-the-wild exploitation, with telemetry pointing to evidence of exploitation as early as late February 2026, roughly two months before cPanel released a patch on April 28, 2026. Rapid7's emerging-threat report puts the same timeline against a sobering exposure number: approximately 1.5 million internet-exposed cPanel instances per Shodan telemetry. That is the population that was reachable, vulnerable, and unaware.

The scale of the platform makes the math worse. watchTowr, whose researcher Sina Kheirkhah disclosed the bug, noted that cPanel and WHM runs north of 70 million domains depending on the source. A pre-authentication bypass on that footprint is closer to internet infrastructure failure than a routine CVE.

What CVE-2026-41940 actually does

The vulnerability is a missing-authentication flaw in cPanel's session loading logic. According to watchTowr's technical writeup, the root cause is brutally simple: if either a successful_external_auth_with_timestamp or successful_internal_auth_with_timestamp property is set in the session file, password validation is skipped and AUTH_OK is returned unconditionally. The /etc/shadow file is never consulted.

Getting that property into a session file relies on a CRLF injection in the Basic-auth handler. An unauthenticated attacker sends a malformed Authorization: Basic header containing raw \r\n characters, which cpsrvd writes into a session file without sanitization. By manipulating the whostmgrsession cookie to skip per-session encryption, the attacker can plant user=root, hasroot=1, and a forged auth timestamp into a file the server will happily load on the next request.

The scoring reflects what that chain enables. Rapid7 confirms a CVSS score of 9.8 and notes that a successful exploit grants attackers full administrative control over the cPanel host, its configurations, every database it manages, and every website it serves in a shared hosting environment. On a shared host, a single compromise can cascade to hundreds of customer organizations.

A decade of vulnerable builds

The age of the affected code is the under-discussed part of this story. Australia's ASD ACSC notes that the vulnerability affects all versions after cPanel 11.40, which was released in 2013 - meaning over a decade of builds shipped the same broken auth path.

WebPros released fixes across six supported branches simultaneously. Per watchTowr, the patched builds are:

• 11.110.0.97
• 11.118.0.63
• 11.126.0.54
• 11.132.0.29
• 11.134.0.20
• 11.136.0.5 (from 11.136.0.4)
• WP Squared 136.1.7

Servers with auto-update disabled or pinned to a specific build will not pick up the fix on their own. Operators have to verify the installed version on each host after running the update script.

How the cPanel WHM zero-day patch rolled out

The vendor moved fast once it knew. The Hacker News reported that WebPros International L.L.C. published the security advisory on April 28 and released security updates a few hours later. CISA added the bug to its Known Exploited Vulnerabilities catalog two days later, and according to the same coverage, the addition required Federal Civilian Executive Branch agencies to apply patches by May 3, 2026.

Major hosts didn't wait for customers to act. Namecheap blocked TCP ports 2083 and 2087 as a precautionary firewall rule and applied the patch to its servers by April 29, 2026 at 02:42 a.m. UTC. KnownHost, HostPapa, InMotion, and hosting.com took similar network-level action within hours of the advisory. That kind of coordinated port-blocking across competing providers is rare and tells you how seriously the operations side took the threat.

Australia's ASD ACSC confirmed active exploitation in Australia and pushed administrators to review networks for vulnerable versions, limit internet exposure of the interface, apply patches, monitor for suspicious activity, and run vendor IoC detection scripts.

The cPanel ransomware attack and the campaigns that followed

What started as quiet probing turned into a free-for-all once the technical details were public. Help Net Security describes how exploratory probing evolved into multi-actor exploitation, leading to disrupted websites, ransomware and malware deployment, and targeted attacks.

The ransomware piece is concrete. According to Help Net Security's reporting, the strain is a Go-based Linux encryptor that encrypts files and appends the .sorry extension, then drops a ransom note instructing victims to contact the operators via Tox. Censys found 8,859 hosts exposing open directories with filenames ending in .sorry, and 7,135 of those were running cPanel or WHM - a near-perfect overlap that puts attribution beyond reasonable doubt.

A second campaign runs in parallel. The same Help Net Security writeup describes a Mirai botnet variant called nuclear.x86 targeting vulnerable cPanel installations to create new admin accounts, disable security logging, drop crypto miners, and harvest credentials. Persistence mechanisms documented by Nocinit include stolen credentials, planted SSH keys, hidden cron jobs, leftover API tokens, sudoers backdoors, and unfiltered control-plane ports. Patching closes the front door but leaves all of those behind on already-compromised hosts.

Targeting that goes beyond opportunistic crime

Not every attacker is after crypto-miner revenue. The Hacker News documented activity from Ctrl-Alt-Intel showing the campaign hitting government and military entities in Southeast Asia, plus MSPs and hosting providers in the Philippines, Laos, Canada, South Africa, and the United States, detected on May 2, 2026.

The same threat actor used a separate custom exploit chain against an Indonesian defense sector training portal before pivoting to cPanel, employing SQL injection and remote code execution. That progression - bespoke targeting of a defense system, then a mass exploitation campaign against the cPanel install base - points to an operator using the same access for different objectives at different points in the timeline.

The scanning data confirms that scale. The Hacker News reports that at least 44,000 IP addresses likely compromised via CVE-2026-41940 engaged in scanning and brute-force activity against Shadowserver Foundation honeypots on April 30, 2026, with that figure dropping to 3,540 by May 3 as patches landed and providers walled off ports.

What the cPanel authentication bypass exploit means for shared hosting

This incident exposes a structural problem the industry rarely talks about. Control panels are management-plane software, and a management-plane bypass is fundamentally different from an application bug. One reliable pre-auth exploit on a popular control panel is worth more than a portfolio of CMS vulnerabilities, because the attacker lands above the tenancy boundary instead of inside one tenant.

Shared hosting compounds the asymmetry. A single compromised WHM gives an attacker every site on that node, every database, and the credential material needed to pivot anywhere those credentials are reused. Readers tracking this kind of structural risk will find related coverage in our Privacy & Security articles and the broader News articles feed.

There is also a less obvious lesson in the patch architecture. Six concurrent fixed branches exist because cPanel supports a long tail of customer environments running older PHP, older OS images, and older applications. That long tail is what kept some customers on the platform for a decade. It is also what made a 2013-era code path still exploitable in 2026.

What administrators should watch for next

For anyone who ran an internet-exposed cPanel host between February 23 and April 28, patching is necessary but not sufficient. The window during which the bug was a true zero-day was long enough to plant durable persistence on a meaningful share of the install base.

A few specific actions should sit at the top of the queue:

• Verify the patched build directly on the host. Dashboard reporting can lag, and pinned environments will not auto-update.
• Run the vendor's IoC detection script against session files, and audit /var/log/ for unexpected logins before April 28.
• Audit WHM accounts, FTP and email accounts, and SSH keys for entries you didn't create.
• Rotate credentials and API tokens stored on the affected host, including database and third-party service keys.
• Review cron jobs, sudoers entries, and any open management ports that don't belong.

watchTowr has released a Detection Artifact Generator to help defenders identify vulnerable hosts, which pairs naturally with the cPanel-published IoC script.

The scanning numbers are still elevated and the ransomware infrastructure is live. Expect a long tail of incidents tied to access purchased or established during the 64-day zero-day window, surfacing as ransomware events, defacements, and supply-chain compromises through the rest of the second quarter. If your environment was exposed during that window and you cannot prove it wasn't touched, the safer assumption is that it was.