cPanel is a very popular hosting framework which is often very difficult to avoid exposing to the internet. The exploit for this weakness gives the attacker root access to cPanel (and from there easy RCE on the system), and the exploit is reliable, well documented, and affects all versions of cPanel except the latest patch. There are well over a million hosts exposed, and though cPanel does have some automated self-upgrade functionality, it can be turned off, and the window before an upgrade (usually up to 24h) is long enough for attacker to have already exploited this weakness. cPanel have provided a script you can use to detect if compromise has already occurred, which can be found here.
AI description
Automated description summarized from trusted sources.
CVE-2026-41940 is an authentication bypass vulnerability impacting cPanel & WHM and WP Squared products. This flaw allows unauthenticated remote attackers to bypass the login process and gain unauthorized administrative access to affected systems. The vulnerability stems from a Carriage Return Line Feed (CRLF) injection within the login and session loading mechanisms of cPanel & WHM, where an attacker can manipulate the `whostmgrsession` cookie to circumvent encryption. Successful exploitation of CVE-2026-41940 grants an attacker control over the cPanel host system, including its configurations, databases, and the websites it manages. Security firm watchTowr Labs has published a technical analysis and proof-of-concept exploit for this vulnerability, detailed in their blog post titled "The Internet Is Falling Down, Falling Down, Falling Down (cPanel & WHM Authentication Bypass CVE-2026-41940)". The vulnerability affects cPanel and WHM versions after 11.40, with patches available in later versions.
- Description
- cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
- Source
- disclosure@vulncheck.com
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 9.3
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- disclosure@vulncheck.com
- CWE-306
- Hype score
- Not currently trending