CPanel and WHM authentication bypass (CVE-2026-41940)
Vulnerability
Summary
Hide ▲
Show ▼
cPanel and WHM are affected by CVE-2026-41940, an authentication bypass in the login flow that can let unauthenticated remote attackers gain control-panel access. The flaw is rated 9.8/10.0, has a patch available, and was reported as actively exploited as a 0-day, raising immediate risk for exposed servers. cPanel has pushed fixes across supported versions and urged operators to update right away.
Cases
Related Happenings
CISA KEV mitigation for LiteSpeed cPanel Plugin (CVE-2026-54420)
Advisory/Mitigation
H score38
First: 16.06.2026 08:41
Last: 16.06.2026 08:41
Sources 1
About this happening:
CISA put **CVE-2026-54420** in **LiteSpeed cPanel Plugin** on the **KEV catalog**, ordering **FCEB agencies** to apply fixes by **June 18, 2026**. The flaw is a **CVSS 8.5 privile...
CISA KEV mitigation for LiteSpeed cPanel Plugin (CVE-2026-54420)
Advisory/MitigationAbout this happening: CISA put **CVE-2026-54420** in **LiteSpeed cPanel Plugin** on the **KEV catalog**, ordering **FCEB agencies** to apply fixes by **June 18, 2026**. The flaw is a **CVSS 8.5 privile...
LiteSpeed User-End cPanel Plugin root script execution security flaw (CVE-2026-48172)
Vulnerability
H score48
First: 23.05.2026 10:35
Last: 23.05.2026 10:35
Sources 1
About this happening:
**CVE-2026-48172** in the **LiteSpeed User-End cPanel Plugin** is now **actively exploited**, creating **root-level arbitrary script execution** risk for exposed cPanel systems. T...
LiteSpeed User-End cPanel Plugin root script execution security flaw (CVE-2026-48172)
VulnerabilityAbout this happening: **CVE-2026-48172** in the **LiteSpeed User-End cPanel Plugin** is now **actively exploited**, creating **root-level arbitrary script execution** risk for exposed cPanel systems. T...
CPanel authentication-bypass and persistent-access campaign targeting Southeast Asia
Campaign
H score44
First: 04.05.2026 12:27
Last: 04.05.2026 12:27
Sources 1
How related:
The actor built a durable access layer using OpenVPN, Ligolo, systemd persistence, and then used that access to pivot into an internal network and exfiltrate a substantial corpus of Chinese railway-sector documents,
About this happening:
A **previously unknown threat actor** ran a **cPanel authentication-bypass campaign** that combined public exploit code and custom access tooling to reach government, military, MS...
CPanel authentication-bypass and persistent-access campaign targeting Southeast Asia
CampaignHow related: The actor built a durable access layer using OpenVPN, Ligolo, systemd persistence, and then used that access to pivot into an internal network and exfiltrate a substantial corpus of Chinese railway-sector documents,
About this happening: A **previously unknown threat actor** ran a **cPanel authentication-bypass campaign** that combined public exploit code and custom access tooling to reach government, military, MS...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation Wave
H score89
First: 04.05.2026 11:25
Last: 04.05.2026 11:25
Sources 1
How related:
Censys said its scans revealed approximately 15,000 potentially compromised instances within the first 24 hours following disclosure.
About this happening:
Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation WaveHow related: Censys said its scans revealed approximately 15,000 potentially compromised instances within the first 24 hours following disclosure.
About this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
CPanel CVE-2026-41940 mitigation guidance
Advisory/Mitigation
H score89
First: 30.04.2026 14:40
Last: 30.04.2026 14:40
Sources 1
How related:
The vendor strongly recommends that all customers restart the ‘cpsrvd’ service after installing the latest releases of the software:
About this happening:
cPanel issued mitigation guidance for **CVE-2026-41940** after fixes became available for **cPanel, WHM, and WP Squared**, urging customers to restart **cpsrvd** to reduce exposur...
CPanel CVE-2026-41940 mitigation guidance
Advisory/MitigationHow related: The vendor strongly recommends that all customers restart the ‘cpsrvd’ service after installing the latest releases of the software:
About this happening: cPanel issued mitigation guidance for **CVE-2026-41940** after fixes became available for **cPanel, WHM, and WP Squared**, urging customers to restart **cpsrvd** to reduce exposur...
Timeline
-
29.04.2026 12:37 2 articles · 2mo ago
cPanel emergency update for authentication bypass
Initial DisclosurecPanel released emergency updates for an unauthenticated authentication-bypass flaw in cPanel and WHM that can let remote attackers obtain control-panel access; the issue affects all currently supported versions, has no official identifier at release, and was later tracked as CVE-2026-41940.
Show sources
- Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately — thehackernews.com — 29.04.2026 12:37
- cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor — thehackernews.com — 11.05.2026 20:54
-
29.04.2026 12:37 1 articles · 2mo ago
Active zero-day exploitation reported for cPanel and WHM
Exploitation ObservedReports describe CVE-2026-41940 as an actively exploited zero-day against cPanel and WHM, with hosting-industry statements saying the flaw had been used in the wild for at least the last 30 days; technical analysis tied the abuse to CRLF injection in login and session loading, where manipulation of the `whostmgrsession` cookie and a malicious basic authorization header can yield administrator access.
Show sources
- Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately — thehackernews.com — 29.04.2026 12:37
-
29.04.2026 12:37 1 articles · 2mo ago
Namecheap blocks management ports and cPanel urges patching
Mitigation Patch UpdateNamecheap applied a firewall rule to block TCP ports 2083 and 2087, temporarily restricting customer access to cPanel and WHM interfaces until patching was complete, while cPanel urged administrators to update with `/scripts/upcp --force`, verify the build, restart services, or temporarily block inbound traffic on ports 2083, 2087, 2095, and 2096 or stop `cpsrvd` and `cpdavd`; the fix was reported as applied across Namecheap servers by April 29, 2026, 02:42 a.m. UTC.
Show sources
- Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately — thehackernews.com — 29.04.2026 12:37
-
29.04.2026 12:37 1 articles · 2mo ago
CISA adds CVE-2026-41940 to KEV
Legal Policy Action UpdateCISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog and set a May 3, 2026 deadline for Federal Civilian Executive Branch agencies to apply the patches, increasing remediation urgency for exposed cPanel and WHM management interfaces.
Show sources
- Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately — thehackernews.com — 29.04.2026 12:37