Critical cPanel & WHM Authentication Flaw Exposes Servers to Unauthorized Access
cPanel disclosed a critical login authentication vulnerability in cPanel & WHM that can allow unauthorized access to affected servers, and released fixes for supported versions on April 28, 2026. Public technical details remain limited and no CVE had been assigned at the time of disclosure, but changelog references tied the issue to session loading and saving under CPANEL-52908. The flaw affects multiple supported release tiers, and cPanel urged administrators to upgrade immediately.
Patched builds were issued for versions 110, 118, 126, 132, 134, and 136, while unsupported or end-of-life deployments are also considered likely at risk. The exposure is significant because WHM is used for server administration and cPanel manages individual hosting accounts, meaning successful exploitation could compromise both administrative and tenant access paths. Security teams were advised to rapidly inventory internet-facing cPanel assets, identify impacted versions, and prioritize emergency remediation across hosted environments.
How this story unfolded
21 events from the most recent confirmed update back to the earliest known activity.
Cyber Centre flags new cPanel and WP Squared security advisory
On 2026-05-13, Canada's Cyber Centre published advisory AV26-464 after cPanel issued new security advisories for cPanel & WHM and WP Squared. The notice said affected cPanel & WHM versions were those prior to multiple fixed releases, referenced WP Squared 11.136.1.12, and urged administrators to review cPanel guidance and apply updates.
Macnica reports 194 exposed cPanel/WHM servers in Japan hit by Sorry ransomware
Macnica’s Security Research Center said 194 of 1,692 publicly exposed cPanel/WHM servers in Japan had been compromised with Sorry ransomware amid exploitation of CVE-2026-41940. The disclosure provided a new country-specific impact assessment beyond earlier general reporting on ransomware activity tied to the flaw.
XLab attributes CVE-2026-41940 backdoor campaign to Mr_Rot13
On 2026-05-11, Qianxin XLab linked ongoing exploitation of CVE-2026-41940 to a threat cluster it calls "Mr_Rot13" and described a Go-based malware family used after compromise. The report said the operators changed root passwords, implanted SSH keys, installed PHP webshells and credential-stealing JavaScript, exfiltrated data to attacker infrastructure and Telegram, and deployed a cross-platform remote-control trojan named "filemanager."
Rapid7 opens Metasploit exploit module PR for CVE-2026-41940
A Rapid7 Metasploit Framework pull request was opened to add an exploit module for the cPanel/WHM authentication bypass RCE tracked as CVE-2026-41940. The public PR indicated work was underway to integrate exploitation into Metasploit, marking a new stage in commoditization of the flaw.
Shadowserver reports 44,000 likely compromised cPanel/WHM IPs
By 2026-05-04, Shadowserver Foundation reported more than 572,000 exposed cPanel/WHM instances worldwide and said over 44,000 IPs were likely already compromised amid exploitation of CVE-2026-41940. The figures provided a new global estimate of exposure and impact beyond earlier reports of scanning and mass exploitation.
Unknown actor targets MSP and hosting networks with CVE-2026-41940
Ctrl-Alt-Intel reported on 2026-05-02 that a previously unknown threat actor exploited CVE-2026-41940 to target government and military entities in Southeast Asia, especially in the Philippines and Laos, as well as MSPs and hosting providers in multiple countries. The activity reportedly used public PoC code and post-compromise tooling including AdapdixC2, OpenVPN, Ligolo, and systemd persistence, expanding the known campaign beyond earlier military-focused reporting.
Researchers detail Indonesian defense portal breach tied to CVE-2026-41940
On 2026-05-02, researchers disclosed that a campaign exploiting CVE-2026-41940 also compromised an Indonesian defense-sector training portal using valid credentials, CAPTCHA bypass, SQL injection, and PostgreSQL COPY TO PROGRAM for command execution. The intrusion reportedly enabled internal pivoting and exfiltration of 110 files totaling about 4.37 GB, including sensitive Chinese railway documents and personal data.
South-East Asian military entities reported targeted via CVE-2026-41940
Ctrl-Alt-Intel reported that South-East Asian military entities were targeted through exploitation of CVE-2026-41940 in cPanel. This appears to be a newly disclosed victim/campaign development beyond the previously documented mass exploitation and public exploit releases.
cPanelSniper exploit framework for CVE-2026-41940 is publicly released
On 2026-05-02, reporting said security researcher Mitsec published cPanelSniper, a weaponized GitHub exploit framework for CVE-2026-41940 that automates session forgery, bulk scanning, shell access, and post-exploitation actions. The release marked a new escalation beyond earlier technical analysis and PoC disclosures by making a more operational attack tool publicly available.
Censys reports mass compromise wave hitting exposed cPanel/WHM hosts
On 2026-05-01, Censys linked a sharp increase of more than 15,000 newly maliciously classified internet hosts to exploitation targeting cPanel/WHM systems after disclosure of CVE-2026-41940. The company said the activity included at least two post-compromise paths—Mirai-related malware and ransomware appending a ".sorry" extension—indicating large-scale automated exploitation was ongoing.
HostGator takes defensive action against CVE-2026-41940
By 2026-04-30, reporting indicated that hosting provider HostGator had joined other providers in responding to CVE-2026-41940 by restricting cPanel/WHM access and applying patches. This added HostGator as a newly disclosed affected responder to the in-the-wild exploitation of the flaw.
Cato Networks publishes IPS signatures and IOCs for CVE-2026-41940
On 2026-04-30, Cato Networks said it observed exploitation attempts targeting CVE-2026-41940 and released IPS signatures for virtual patching along with network indicators linked to infrastructure geolocated to Ireland, Japan, and the United States. The disclosure added new defender-focused detection content beyond earlier vendor advisories and cPanel's own IOC script.
CISA adds CVE-2026-41940 to KEV catalog
CISA added CVE-2026-41940, affecting WebPros cPanel & WHM and WP2/WordPress Squared, to its Known Exploited Vulnerabilities catalog. The KEV entry set a remediation due date of 2026-05-03 and directed organizations to apply vendor mitigations, follow BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable.
cPanel releases IOC detection script for CVE-2026-41940
cPanel published a detection script to help administrators identify possible exploitation of CVE-2026-41940 by scanning /var/cpanel/sessions for suspicious token patterns and malformed session attributes. The guidance accompanied mitigation advice for organizations unable to patch immediately.
watchTowr publishes CVE-2026-41940 technical analysis and PoC
watchTowr published a technical analysis and proof-of-concept exploit for CVE-2026-41940, the critical cPanel & WHM authentication bypass. The disclosure provided deeper detail on the CRLF injection flaw and raised concern that broader exploitation would follow.
Cyber Centre flags cPanel advisory affecting WP Squared
Canada's Cyber Centre published advisory AV26-404 noting that cPanel's April 28, 2026 security advisory addressed vulnerabilities in both cPanel software and WP Squared. It listed affected versions including WP Squared 11.136.1.7 and urged administrators to review cPanel guidance and apply updates.
cPanel WHM flaw assigned CVE-2026-41940 amid in-the-wild exploitation
By 2026-04-29, reporting on cPanel's critical WHM authentication bypass identified the issue as CVE-2026-41940 and said it had been exploited in the wild before patches were released. The flaw was described as affecting nearly all known cPanel and WHM versions, including some end-of-life releases, with risk of administrative server compromise.
Namecheap blocks cPanel ports and begins deploying fixes
Following cPanel's disclosure, Namecheap said it temporarily blocked TCP ports 2083 and 2087 to limit access to cPanel and WHM while patches were rolled out. By 2026-04-29 02:42 UTC, it reported fixes had been applied to Reseller and Stellar Business servers, with remaining systems also being addressed.
runZero publishes guidance to identify exposed cPanel & WHM assets
runZero published analysis and asset-discovery guidance following cPanel's disclosure, noting that public technical details were still limited and no CVE had yet been assigned. The post also warned that unsupported or end-of-life versions were likely affected and provided a query to help organizations find impacted systems.
cPanel releases fixes for critical login authentication flaw
cPanel disclosed a critical login authentication vulnerability affecting multiple supported versions of cPanel & WHM and released patched builds for versions 110, 118, 126, 132, 134, and 136. The issue was described as potentially allowing unauthorized access to affected servers, with changelogs tying it to CPANEL-52908.
KnownHost observes CVE-2026-41940 exploitation attempts
KnownHost reported seeing successful exploitation of the cPanel & WHM authentication bypass before a fix was available, with execution attempts observed as early as 2026-02-23. This indicates the flaw was being exploited as a zero-day well before cPanel's public disclosure and patch release.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
50 references tracked. Mallory keeps watching after this page renders.
cPanel security advisory (AV26-464) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceThreat actor Mr_Rot13 exploits critical cPanel flaw to deploy Filemanager backdoor | brief | SC Media
scworld.com
Open sourceAttackers exploit cPanel CVE-2026-41940 to deploy Filemanager Backdoor
securityaffairs.com
Open sourceFilemanager Fever: MrRot_13’s cPanel Exploitation Campaign Is Spreading Fast - SecPod Blog
secpod.com
Open sourcecPanel security advisory (AV26-404) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceCVE-2026-41940 | AttackerKB
attackerkb.com
Open sourceAll supported cPanel versions hit by critical auth bug, now patched
securityaffairs.com
Open sourceCritical cPanel Authentication Vulnerability Identified - Update Your Server Immediately
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
cPanel Authentication Bypass and New RCE Flaws Put Hosting Servers at Risk
cPanel disclosed and patched a critical authentication bypass in cPanel & WHM, tracked as **`CVE-2026-41940`**, after reports of active in-the-wild exploitation against hosting infrastructure. The flaw affects authentication paths in supported versions and can let unauthenticated attackers reach administrative interfaces, forge authenticated sessions, and potentially gain control of hosted websites, databases, email accounts, and server configuration. Government and industry alerts warned that shared hosting environments face outsized risk because a single compromised server can expose many downstream customer sites, and some providers temporarily restricted cPanel and WHM login ports while applying fixes. Public technical analysis and a GitHub proof-of-concept described an exploit chain involving manipulated HTTP headers and session cookie handling to create forged privileged sessions, including possible root-level WHM access. Separately, cPanel also patched three additional vulnerabilities in cPanel & WHM and **WP Squared**—**`CVE-2026-29201`**, **`CVE-2026-29202`**, and **`CVE-2026-29203`**—that enable arbitrary file read through path traversal, Perl code injection leading to remote code execution, and denial-of-service via unsafe symlink handling. The most severe of the newly disclosed flaws, **`CVE-2026-29202`**, affects the `create_user` API and can allow arbitrary Perl code execution on the server, reinforcing calls for immediate upgrades, restricted access to management interfaces, and log review for suspicious authorization and cookie activity.
May 25, 2026
cPanel and WP Squared Security Updates Address Multiple Vulnerabilities
cPanel published security advisories `SEC-73728` and `SEC-73755` covering vulnerabilities in **cPanel & WHM** and **WP Squared**, prompting follow-on guidance from the Canadian Centre for Cyber Security. The advisories affect multiple cPanel & WHM releases, including `11.86.0.45`, `11.94.0.32`, `11.102.0.43`, `11.110.0.120` (`cl6110`), `11.110.0.121`, `11.118.0.68`, `11.124.0.41`, `11.126.0.62`, `11.130.0.26`, `11.132.0.35`, `11.134.0.29`, and `11.136.0.13`, along with **WP Squared** `11.136.1.16` and earlier. Canada’s Cyber Centre advised administrators to review both vendor bulletins and apply the required patches to exposed systems. The notices indicate that organizations running affected hosting management platforms and WordPress management components should prioritize updates across supported branches to remediate the disclosed flaws.
May 25, 2026
LiteSpeed cPanel Plugin Flaw Enables Privilege Escalation to Root
A privilege-escalation vulnerability tracked as **`CVE-2026-48172`** affects the LiteSpeed User-End cPanel Plugin in versions before **`2.4.5`** and was reportedly exploited in the wild. The flaw is tied to improper handling of Redis enable/disable functionality and could allow an attacker to escalate privileges, potentially reaching **root** access. The related **LiteSpeed WHM Plugin** was identified as the parent plugin but was not affected. In response, cPanel said the LiteSpeed plugin was automatically removed during a nightly update, indicating active mitigation for affected environments. Defenders were advised to review cPanel log directories for requests containing: ```text cpanel_jsonapi_func=redisAble ``` and to investigate associated IP addresses and broader system logs to determine whether exploitation attempts or successful compromise occurred.
May 28, 2026