Full Report
A vulnerability has been discovered in WHM, cPanel, and WP Squared that could allow for remote code execution. WHM, cPanel, and WP Squared are Linux-based web hosting control panels for server and website management. While WHM provides server-level control, cPanel provides administrator access to the website backend, webmail, and databases. Successful exploitation could allow unauthenticated remote attackers to bypass authentication and gain unauthorized administrative access to the affected systems, ultimately leading to remote code execution.
Analysis Summary
# Vulnerability: cPanel and WHM Authentication Bypass Leading to RCE
## CVE Details
- **CVE ID:** CVE-2026-41940
- **CVSS Score:** 9.8 (Critical - *estimated based on RCE and unauthenticated access*)
- **CWE:** CWE-287 (Improper Authentication)
## Affected Systems
- **Products:** WHM, cPanel, and WP Squared
- **Versions:**
- cPanel & WHM 11.86.0 earlier than 11.86.0.41
- cPanel & WHM 11.110.0 earlier than 11.110.0.97
- cPanel & WHM 11.118.0 earlier than 11.118.0.63
- cPanel & WHM 11.126.0 earlier than 11.126.0.54
- cPanel & WHM 11.130.0 earlier than 11.130.0.19
- cPanel & WHM 11.132.0 earlier than 11.132.0.29
- cPanel & WHM 11.134.0 earlier than 11.134.0.20
- cPanel & WHM 11.136.0 earlier than 11.136.0.5
- WP Squared earlier than 136.1.7
- **Configurations:** Systems exposed to the internet via standard management ports.
## Vulnerability Description
An authentication bypass vulnerability exists in the login flow of cPanel and WHM (versions 11.40 and later). The flaw allows unauthenticated remote attackers to bypass security checkpoints and gain unauthorized administrative access. Once authenticated, attackers can utilize legitimate WHM-exposed API features to execute code on the server with root privileges.
## Exploitation
- **Status:** **Exploited in the wild.** Added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog.
- **Complexity:** Low (Chain requires only a small number of HTTP requests).
- **Attack Vector:** Network (Unauthenticated remote).
- **PoC Availability:** Yes. Published by watchTowr Labs.
## Impact
- **Confidentiality:** High (Full access to server, databases, and mail).
- **Integrity:** High (Ability to modify files and system configurations).
- **Availability:** High (Observed deployment of ransomware/encryptors).
## Remediation
### Patches
Update to the following fixed versions immediately:
- cPanel & WHM: **11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, 11.136.0.5**
- WP Squared: **136.1.7**
### Workarounds
No effective workarounds are provided other than updating software. It is recommended to restrict access to WHM/cPanel management ports (e.g., 2082, 2083, 2086, 2087) via firewall/IP whitelisting where possible.
## Detection
- **Indicators of Compromise:**
- Presence of Go-based Linux encryptors (linked to "Sorry" ransomware).
- Evidence of Mirai botnet binaries.
- Unexpected administrative API calls from unknown IP addresses.
- **Detection methods and tools:**
- Review web server logs for bypass attempts targeting the login flow.
- Monitor for 44,000+ IPs identified by Shadowserver as active scanners for this flaw.
## References
- hxxps://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026
- hxxps://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/
- hxxps://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass/
- hxxps://www.helpnetsecurity.com/2026/05/04/multiple-threat-actors-actively-exploit-cpanel-vulnerability-cve-2026-41940/