A serious security flaw in cPanel and WebHost Manager (WHM) is being actively exploited in the wild. Tracked as CVE-2026-41940, the bug lets unauthenticated attackers gain root-level access to web servers without knowing any passwords. No credentials needed. Just an HTTP request and some patience.
The flaw affects software that runs an estimated 70 million websites. watchTowr Labs published a technical proof-of-concept, and since then, major hosting providers including KnownHost and Namecheap have confirmed they were targeted. Evidence suggests attackers had been quietly using this as a zero-day since at least February 2026, roughly two months before any patch existed.
It’s gotten worse. A fully weaponized exploit framework called cPanelSniper is now publicly available on GitHub, and Shadowserver confirmed 44,000 unique IPs were observed scanning or actively exploiting vulnerable servers as of April 30. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on May 1.
What this actually means: Full server takeover. Not just one website – every site on the machine, plus the SSL keys, email databases, and SSH credentials sitting underneath them.
The Root Cause
The vulnerability carries a CVSS score of 9.8 and affects every cPanel & WHM version after 11.40, as well as WP Squared v136.1.7.
The bug lives in cPanel’s Session.pm module. Specifically, the saveSession() function writes session data to disk before calling filter_sessiondata() to sanitize it. That ordering mistake is the whole problem.
Because sanitization happens after the write, any CRLF characters (\r\n) embedded in an HTTP Authorization header go straight into the on-disk session file as-is. An attacker can use those line breaks to inject arbitrary fields – user=root, hasroot=1, tfa_verified=1 and forge a fully authenticated root WHM session without supplying a single valid credential.
cPanel disclosed the issue on April 28, 2026 and pushed emergency patches the same day. By then, exploitation had already been running for two months.
The exploit is uncomfortably simple. It takes only a handful of HTTP requests.
First, an attacker sends a failed login. The password is wrong, but cPanel still creates a temporary session file and hands back a cookie. From there, the attacker strips the hex-encoded secret from the whostmgrsession cookie, which tricks cPanel into skipping the standard encryption step for the password field.
Then comes the real problem: the password field accepts hidden line breaks (\r\n) without sanitizing them. Those line breaks get written directly into the session file, and the attacker uses them to inject new key-value pairs – specifically user=root and hasroot=1. When cPanel reloads the session, it reads those injected flags, trusts them, and skips the password check entirely.
That’s it. Root access, no password required.
cPanelSniper: The Public Exploit Framework
Security researcher Mitsec released cPanelSniper on GitHub, and it removes whatever technical barrier was left. The tool is pure Python 3.8+ with no external dependencies, and it automates exploitation through four stages:
Stage 1 – Sends intentionally invalid credentials to mint a pre-auth WHM session, collecting the whostmgrsession cookie.
Stage 2 – Injects a CRLF payload through a crafted Authorization: Basic header, causing cpsrvd to write poisoned session fields directly to disk.
Stage 3 – Triggers an internal gadget via /scripts2/listaccts, which flushes the raw session data into cache and activates the injected fields.
Stage 4 – Confirms full root access by hitting /json-api/version. An HTTP 200 response means the server is compromised. The tool reports this as “PWNED.”
Beyond basic exploitation, cPanelSniper supports bulk scanning, pipeline integration with Subfinder and Shodan, an interactive WHM shell, command execution, account enumeration, and automated backdoor admin creation. This isn’t a script someone runs once against a single target – it’s built for scale.
How Bad Is the Damage So Far
The numbers are hard to sit with. Shadowserver tracked 44,000 unique IPs involved in scanning or active exploitation by April 30. Shodan shows roughly 650,000 cPanel/WHM instances exposed to the internet, with up to 1.5 million potentially vulnerable systems identified across all sources.
Exploitation goes back to at least February 23, 2026 – well before anyone outside the attacker community knew this vulnerability existed. Confirmed attack outcomes include ransomware deployment, mass website defacements, and botnet recruitment.
CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog on May 1, which at this point feels more like a formality than a warning.
Dark Web Activity
Threat intelligence teams have tracked a surge in chatter on Russian-language forums like XSS and Exploit.in. The PoC is being passed around, and some actors are sharing automated scanners to find unpatched targets. This isn’t a slow-burn situation – the tooling is already out there.
Affected Versions
WebPros has released emergency patches. If you’re running anything older than the versions below, your server is vulnerable:
- 110.0.x → patched in 11.110.0.97
- 118.0.x → patched in 11.118.0.63
- 126.0.x → patched in 11.126.0.54
- 132.0.x → patched in 11.132.0.29
- 134.0.x → patched in 11.134.0.20
- 136.0.x → patched in 11.136.0.5
- WP Squared 11.136.1 → patched in 11.136.1.7
What to Do Right Now
If you manage a cPanel/WHM server:
- Update immediately. Run
/scripts/upcp --forceto pull the latest build. - Verify your version. Run
/usr/local/cpanel/cpanel -Vto confirm you’re patched. - Rotate everything. This was exploited for months before the patch. If your server was internet-facing, treat it as potentially compromised – rotate root passwords, API tokens, and SSH keys.
- Audit session files. Check
/var/cpanel/sessions/raw/for entries with admin flags that don’t correspond to real logins. - Block the ports if you can’t patch yet. Close 2083, 2087, 2095, and 2096 at the firewall to everything except trusted IPs. It’s not a fix, but it narrows the attack surface.
Quick FAQ
I’m on shared hosting – am I affected?
Yes, if your provider hasn’t patched. An attacker with root on the server can read your files, hit your databases, and intercept your email.
How do I know if I was already compromised?
Look for unexpected cron jobs running as root, new keys in /root/.ssh/authorized_keys, and unauthorized accounts in WHM’s List Accounts or Reseller Center sections.
This report is based on ongoing threat intelligence and may be updated as more forensic data surfaces.
