Mass exploitation of the world most popular web hosting control panel is now imminent following the publication of a functional proof-of-concept exploit. This flaw allows unauthenticated attackers to gain root-level control over cPanel and WHM instances by manipulating session loading processes.
Tracked as CVE-2026-41940, the vulnerability involves a Carriage Return Line Feed ❨CRLF❩ injection in the `cpsrvd` daemon. Attackers can inject raw characters via a malicious authorization header, causing the system to write arbitrary properties—such as `user=root`—into a new session file. The publication of technical details by security firm watchTowr on April 29 has significantly lowered the barrier for automated exploitation by botnets.
With approximately 1.5 million cPanel instances exposed to the public internet, the potential blast radius for this flaw is massive. Successful exploitation grants complete control over the host system, its databases, and all managed websites, enabling site hijacking and mass malware distribution.
– Immediately upgrade cPanel and WHM to the latest security releases ❨11.110.0.97, 11.118.0.63, or higher❩.
– Audit the `/home/.cpanel/sessions` directory for any unauthorized session files created by the `cpsrvd` service.
– Monitor TCP ports 2083 and 2087 for anomalous traffic patterns or unauthorized basic authorization attempts.
– Transition all web hosting management to a least-privilege model where root access is strictly gated behind MFA and IP-restricted gateways.
The publication of a PoC for a root-level bypass turns an urgent patch into an emergency remediation event. #CodeDefence #cPanel #AuthBypass #WebHosting #RCE
/
