A critical authentication bypass vulnerability in the world most popular web hosting control panel is under active zero-day exploitation. This flaw allows unauthenticated remote attackers to gain full administrative access to cPanel and WHM instances, bypassing all security checks.
Tracked as CVE-2026-41940, the vulnerability stems from a Carriage Return Line Feed ❨CRLF❩ injection in the session loading process. By injecting raw characters via a malicious authorization header, attackers can insert arbitrary properties into their session files, such as elevating their status to root. Intelligence suggests targeted exploitation began as early as February 2026, months before public disclosure.
Web hosting platforms are the gateway to thousands of enterprise websites and databases. A compromise at the WHM level grants the attacker root access to the entire host system, enabling mass data exfiltration, site hijacking, and the deployment of large-scale phishing infrastructure across all hosted tenants.
– Immediately upgrade cPanel and WHM to the latest security releases ❨11.110.0.97, 11.118.0.63, or higher❩.
– Audit all session files and authentication logs for unauthorized root-level logins originating from unknown IP addresses.
– Monitor for anomalous administrative account creation or changes to global server configurations.
– Enforce strict firewall rules to restrict access to ports 2083 and 2087 to authorized administrative subnets only.
When the management plane of the hosting ecosystem is compromised, every tenant site must be forensically treated as potentially breached. #CodeDefence #cPanel #ZeroDay #AuthBypass
/
