Summary

A critical authentication bypass vulnerability, tracked as CVE-2026-41940, affects multiple versions of cPanel & WHM. The flaw enables unauthenticated remote attackers to gain administrative access to hosting control panels without valid credentials.

With a CVSS score of 9.3 (Critical) and publicly available exploit code, this issue presents an immediate and severe risk to internet-facing systems.

Affected Products

cPanel & WHM Versions

• 11.110.0 → 11.110.0.96
• 11.118.0 → 11.118.0.62
• 11.126.0 → 11.126.0.53
• 11.130.0 → 11.130.0.17
• 11.132.0 → 11.132.0.28
• 11.134.0 → 11.134.0.19
• 11.136.0 → 11.136.0.4
• 11.86.0 → 11.86.0.40

WP Squared Versions

• 136.1.0 → 136.1.6

Technical Analysis

The vulnerability stems from a logic flaw in the authentication workflow of cPanel/WHM services.

Improper validation of authentication state within the login flow, combined with a trust boundary violation between pre-authentication and post-authentication request handling, results in failure to enforce authentication checks on critical endpoints.

Analysis from the security community indicates the issue involves a session/state confusion condition rather than a simple credential bypass. Certain API or web endpoints incorrectly accept requests as authenticated due to improper session initialization, incomplete validation of login tokens, and backend trust of client-controlled parameters in specific flows.

Attackers can initiate crafted requests to login endpoints, manipulate request parameters or headers to simulate an authenticated state, and access privileged functionality without credentials. This level of access effectively grants administrative control over WHM and associated cPanel instances.

As a result, attackers may control hosted domains and accounts, deploy malware or web shells, modify DNS, email, and hosting configurations, exfiltrate sensitive data, and pivot into internal infrastructure. The absence of authentication requirements and low complexity of exploitation significantly increase the likelihood of widespread compromise, particularly for internet-exposed systems.

Exploitation occurs over standard HTTPS interfaces, typically ports 2083 and 2087, and does not require brute force, credential stuffing, or user interaction.

Mitigation

Patched Versions

cPanel & WHM

• 11.110.0.97 or later
• 11.118.0.63 or later
• 11.126.0.54 or later
• 11.130.0.18 or later
• 11.132.0.29 or later
• 11.134.0.20 or later
• 11.136.0.5 or later
• 11.86.0.41 or later

WP Squared

• 136.1.7 or later

Compensating Controls

• Restrict access to WHM and cPanel via VPN or IP allowlisting
• Disable direct internet exposure where feasible
• Deploy web application firewall rules to block malformed authentication requests
• Enforce multi-factor authentication and strengthen session validation policies

What the Cyber Fusion Center is Doing

The Cyber Fusion Center (CFC) is actively monitoring the situation and will issue advisory updates as needed. A threat campaign regarding this supply chain attack will be conducted.

References

• https://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass/
• https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026
• https://docs.wpsquared.com/changelogs/versions/changelog/#13617
• https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/