CVE-2026-41940: The cPanel Authentication Bypass That Runs 70 Million Domains and Is Being Weaponized Right Now
CVE-2026-41940 is a CVSS 9.8 authentication bypass in cPanel/WHM affecting every version after 11.40. It was a zero-day for two months, 44,000 IPs are now scanning, ransomware has deployed, and a state-linked actor is hitting Southeast Asian government networks. Patch now.
If you run a cPanel or WebHost Manager installation and you have not patched in the last week, stop reading this and go patch it. Now. Come back after.
Still here? Let me explain exactly what you're up against.
CVE-2026-41940 is a pre-authentication bypass in cPanel and WebHost Manager rated CVSS 9.8 — one point below the maximum possible. It affects every supported version of cPanel and WHM released after version 11.40, plus WP Squared, the WordPress management layer built on the same platform. According to Shodan telemetry cited by Rapid7, approximately 1.5 million cPanel instances are exposed to the public internet.
This is not theoretical. KnownHost, a managed cPanel hosting provider, confirmed exploitation attempts against their infrastructure as early as February 23, 2026 — two months before cPanel shipped a patch on April 28. The Shadowserver Foundation recorded 44,000 unique IP addresses scanning and exploiting honeypots on April 30 alone. Censys found 8,859 hosts with open directories showing files with the .sorry extension — ransomware deployed via this exact vulnerability. A state-linked threat actor has been using it to hit government and military networks across Southeast Asia. CISA added it to the Known Exploited Vulnerabilities catalog on May 1.
This is an active, mass-exploitation event against infrastructure that runs somewhere north of 70 million domains — much of it run by small hosting providers and MSPs who depend on their upstream vendors to handle patching, which is not a dependency you want right now.
What Is cPanel and Why Does This Vulnerability Have Such Extraordinary Impact?
You cannot understand the blast radius of this vulnerability without understanding what cPanel and WHM actually are.
cPanel is the dominant web hosting control panel. It's the UI that runs shared hosting infrastructure for hundreds of millions of websites globally. The product splits into two layers: WHM (WebHost Manager), which provides root-level server administration — SSL certificates, server security configurations, user management, the entire server configuration stack — and cPanel, the user-facing panel for individual hosting accounts.
Think of it as the keys to the kingdom, and then the keys to every individual apartment inside the kingdom. If the kingdom was the Internet and the apartments were websites.
WHM access is root-level access to the server. Not administrative access. Root. A successful exploit of CVE-2026-41940 against a shared hosting server doesn't just compromise one website. It compromises every website, every database, every email account, every private key, every configuration file, and every credential stored on that physical server. For a shared hosting environment with thousands of tenants on a single machine, one unauthenticated HTTP request — before any valid credentials are provided — hands an attacker root access to all of it.
cPanel underpins hosting for tens of millions of sites, many run by small outfits that rely on providers to handle security. For them, "patch now" often means "wait and hope," which is not a great place to be when a near-max severity bug is already being weaponized.
Three Weaknesses Lined Up End-to-End
CVE-2026-41940 is caused by a Carriage Return Line Feed (CRLF) injection in the login and session loading processes of cPanel and WHM. The mechanism is elegant in the worst possible way.
Before authentication occurs, cpsrvd — the cPanel service daemon — writes a new session file to disk. The session file records properties about the incoming connection: the username, authentication state, session metadata. This pre-authentication write is the attack surface.
The vulnerability exists at the intersection of three specific weaknesses:
Weakness 1: A sanitizer that wasn't called on the dangerous code path. cPanel already had a function to strip \r\n= and similar dangerous characters from session values. Calling it was the caller's responsibility. The Basic-auth handler in cpsrvd didn't invoke it.
Weakness 2: An encryption step that silently turned itself off. The session writer normally encrypts the password field using a per-session secret embedded in the session cookie. If that secret is missing, the original code skipped encryption entirely instead of refusing the operation. An attacker who sends a truncated cookie — omitting the expected segment — causes the payload to land on disk in plaintext.
Weakness 3: Pre-auth state is writable. Anything written to disk on the strength of an unauthenticated request must be assumed attacker-controlled. The session file was written before the authentication check, making its contents fully controllable by the attacker.
Two representations of the same data is a vulnerability shape. Raw vs. cache, JSON vs. flat, normalized vs. raw — wherever a parser disagrees with another parser about what a byte sequence means, that disagreement is exploitable. "Already authenticated" flags need cryptographic binding. A boolean in a session that says "skip the password check" must be unforgeable, not just present.
The attack chain:
- Attacker sends an HTTP request to the WHM login endpoint with a specially crafted Basic Authorization header containing raw
\r\ncharacters cpsrvdprocesses the request, writes the new session file to disk without sanitizing the injected characters- The
\r\ncharacters break the session file format, allowing the attacker to inject arbitrary properties — specificallyuser=root cpsrvdloads the session file and, seeinguser=rootalready set in the session, treats the connection as an authenticated root session- Full WHM root access is granted — no password was ever checked
Attackers can inject raw\r\ncharacters via a malicious basic authorization header, and the system subsequently writes the session file without sanitizing the data. As a result, the attacker can insert arbitrary properties, such asuser=root, into their session file.
The PoC published by Sina Kheirkhah at watchTowr Labs on April 29 — one day after the patch shipped — makes this concrete. The chain is fully unauthenticated. It is small. Mass scripted exploitation against 1.5 million exposed instances is technically trivial, which is exactly why CISA escalated it to their KEV catalog the same day the PoC dropped.
Two Months Before the Patch
The timeline here is genuinely alarming and deserves more attention than it's getting.
Exploitation was confirmed in the wild before cPanel's patch was released on April 28, 2026, with speculation of targeted zero-day exploitation happening as early as February 23, 2026, prior to the vulnerability's public disclosure.
February 23 to April 28 is 64 days. For 64 days, CVE-2026-41940 was being exploited in the wild — against real hosting infrastructure, against real tenants — with no available patch, no public disclosure, and no mechanism for defenders to know they were compromised or even at risk.
KnownHost's CEO Daniel Pearson confirmed this in a Reddit post, stating the provider had "seen execution attempts as early as 2/23/2026" and urged users to restrict access and assume systems could already be compromised if left unprotected.
The implications for incident response on any cPanel installation that wasn't patched the moment it became available: your system was at risk for two months before you had the option to patch it. Any forensic investigation of a compromised cPanel instance needs to account for the full zero-day window, not just the period after public disclosure.
The Exploitation Avalanche: 44,000 IPs, Mirai, and the "Sorry" Ransomware
Within 24 hours of disclosure, consistent with timelines tracked by organizations such as Zero Day Clock, the vulnerability appears to have been weaponized by multiple third parties. Overnight, Censys observed a sharp increase in the number of hosts newly classified as "malicious" across our dataset, with counts roughly doubling from the previous day.
By April 30, three distinct threat actor categories were actively exploiting:
Mass opportunistic scanning. The Shadowserver Foundation confirmed 44,000 unique IP addresses conducting scanning, exploitation attempts, and brute-force attacks against honeypots. This is automated exploitation at scale — botnets running the PoC against every reachable cPanel instance on the public internet.
Mirai botnet variants. Censys found evidence suggesting the cPanel vulnerability is being weaponized by multiple third-parties within 24 hours of public disclosure, including deploying Mirai botnet variants. Mirai is the infamous IoT malware that compromised hundreds of thousands of routers, cameras, and DVRs to launch some of the largest DDoS attacks ever recorded. A Mirai variant using CVE-2026-41940 as an infection vector means compromised cPanel servers are being recruited into DDoS botnets in addition to being exfiltrated.
The "Sorry" ransomware. Attackers have taken advantage of CVE-2026-41940 to mass-exploit vulnerable internet-facing cPanel instances to breach servers, deface websites and encrypt data. The ransomware used in some of the attacks is a Go(Lang)-based Linux encryptor that encrypts files and appends the .sorry extension to them, then drops a ransom note that instructs victims to get in touch via Tox.
The scale is already substantial: internet scanner Censys has found 8,859 hosts exposing open directories where filenames end in ".sorry," with 7,135 of those identified as running cPanel or WHM, which is strong evidence of large-scale automated exploitation.
The Go-based encryptor targeting Linux servers is consistent with modern ransomware development trends. Linux ransomware development has accelerated significantly over the past three years as ransomware operators recognized that large-scale hosting infrastructure and VMware ESXi deployments represent higher-value targets than Windows workstations. A cPanel server managing hundreds of customer websites is a far more valuable ransomware target than a single desktop.
The State-Linked Campaign: Government Networks, Custom Exploit Chains, Railway Intelligence
The mass exploitation is bad. What Ctrl-Alt-Intel found by identifying an exposed attacker C2 server is worse.
A previously unknown threat actor has been observed targeting government and military entities in Southeast Asia, alongside a smaller cluster of managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S., by exploiting the recently disclosed vulnerability in cPanel.
The campaign's initial access vector centered on CVE-2026-41940, a critical CVSS 9.8 authentication bypass in cPanel and WHM affecting all versions after v11.40. The flaw exploits CRLF injection in the login and session-loading processes, allowing an unauthenticated attacker to manipulate the whostmgrsession cookie and gain full root-level administrative access without valid credentials.
But the cPanel exploitation was only one component of what Ctrl-Alt-Intel found. More significantly, Ctrl-Alt-Intel recovered a custom exploit targeting an Indonesian Defence sector training portal. The threat actor already possessed valid credentials and bypassed the portal's CAPTCHA mechanism by reading the expected CAPTCHA value directly from the page.
For persistence, the attacker combined OpenVPN and Ligolo into a layered pivot stack. An OpenVPN server was deployed on 95.111.250[.]175:1194/UDP as early as April 8, 2026, routing through the 10.8.0.0/24 client subnet. The Ligolo proxy agent was installed under a hidden directory /usr/local/bin/.netmon/, masqueraded as a systemd service named systemd-update.service, and configured to restart automatically — providing persistent re-entry even after reboots.
The exfiltration data recovered from the exposed C2 infrastructure is the most telling element. In total, 110 files (~4.37GB) were stolen from the China Railway Society Electrification Committee spanning .pptx, .pdf, .docx, and .xlsx formats dating from 2020 to 2024. Among the most sensitive materials were 2021 financial workbooks containing full names, PRC national ID numbers, bank account details, and phone numbers.
The victimology — Philippine and Laotian government and military domains, Indonesian defense sector, Chinese railway infrastructure data — is specific enough that Ctrl-Alt-Intel stopped short of firm attribution while noting the combination makes this "more significant than routine opportunism." The targeting pattern is consistent with intelligence collection operations focused on Southeast Asian defense and transportation infrastructure.
This is not a ransomware crew. Ransomware operators do not exfiltrate Chinese railway society financial records with national ID numbers. The cPanel CVE is being used as an initial access vector by at least one threat actor conducting what looks like state-directed intelligence collection.
What "Running All Supported Versions" Actually Means for Patch Management
According to cPanel, this vulnerability affects — and we cannot stress this enough — all currently supported versions of cPanel & WHM. Not some, or a few, or a specific release track.
This matters for the hosting ecosystem's update topology. A significant portion of cPanel installations run on shared hosting infrastructure managed by hosting providers — not by the companies whose websites are hosted on them. The tenant of a shared hosting account has no ability to patch the server. The hosting provider has to do it.
And hosting providers patch on their own schedules, which vary enormously. Enterprise-grade managed hosting patches within hours of a critical advisory. Budget shared hosting providers patch when they get around to it, or when enough customers complain, or when they notice they've been compromised. Some are running versions they haven't updated in years.
cPanel does support automatic updates. But server operators who have disabled auto-updates, pinned specific versions, or simply never configured updates are running vulnerable installations today. Servers with auto-update disabled or version pinning will not patch themselves.
The patched versions are:
- cPanel & WHM 136.1.1 (for the Stable tier)
- cPanel & WHM 136.0.11 (for the Release tier)
- cPanel & WHM 134.0.7 (for the Stable tier, older release)
- WP Squared 136.1.7
Detection and Response
For any cPanel or WHM installation:
# Apply the patch immediately
/scripts/upcp --force
# Verify the build version
cat /usr/local/cpanel/version
# Restart cpsrvd after updating (required)
/scripts/restartsrv_cpsrvd
# Check for indicators of compromise in access logs
grep -i "whostmgrsession" /usr/local/cpanel/logs/access_log | \
grep -v "=" | head -50
# Truncated whostmgrsession cookies (missing the = separator) are suspicious
# Check for unauthorized sessions in WHM session files
ls -la /var/cpanel/sessions/
# Look for sessions created at unusual times or with unexpected properties
Look for the known C2 indicators in your network logs:
- Outbound connections to
95.111.250[.]175on any port - OpenVPN traffic on UDP 1194 to unfamiliar endpoints
- New systemd services named
systemd-update.servicethat weren't there before - Processes from
/usr/local/bin/.netmon/
For the ransomware: - Files with
.sorryextensions across your hosting directories - Ransom notes instructing Tox contact
- Unusual encryption-pattern I/O on hosting directories
Run cPanel's detection script to identify potentially compromised sessions. cPanel has also released an updated version of the detection script to address additional false positives flagged by the initial version.
For the broader hosting ecosystem: if you provide managed hosting services and have customer installations running cPanel, your SLA with those customers likely requires you to patch critical vulnerabilities. CVE-2026-41940 is in CISA's KEV. Federal agencies were required to patch by May 3. If you're a commercial hosting provider and you haven't patched, you're operating outside the standard of care.
The Broader Point About Pre-Authentication Vulnerabilities in Hosting Control Panels
This isn't the first critical pre-auth vulnerability in hosting control panel software and won't be the last. The architectural pattern — a daemon that writes state to disk before completing authentication, taking input from the unauthenticated request to populate that state — is a recurring vulnerability class in software that was designed before modern security-by-default expectations.
The lesson isn't specific to cPanel. It's that control panel software, web application firewalls, VPN concentrators, and any network-facing administrative interface that processes input before completing authentication is a high-value target for exactly this class of vulnerability. The attack surface is administrative access. The reward for a successful exploit is root access to the server. The barrier to exploitation after a PoC is published is running a script.
Two things would have prevented this:
- Never write attacker-influenced data to disk before authentication is complete
- Sanitize the input that is written, in the function that writes it, not in the callers
That's it. Those two properties, if present, make this specific vulnerability impossible. They've been known principles for decades. The gap between "known principle" and "deployed correctly in production code" is where CVEs live.
The SSRF breakdown covers server-side request forgery — a common follow-on attack after an authentication bypass gives an attacker access to an internal web panel. The security misconfiguration article covers the class of configuration weaknesses that make a successful authentication bypass more impactful. The supply chain security article is relevant for MSPs and hosting providers: your patching discipline is your customers' security posture.