Full Report
The critical CVE-2026-41940 authentication bypass vulnerability in cPanel, WHM, and WP Squared is being actively exploited in the wild and has been leveraged in attempts since late February. [...]
Analysis Summary
# Vulnerability: Authentication Bypass in cPanel & WHM (CRLF Injection)
## CVE Details
- **CVE ID:** CVE-2026-41940
- **CVSS Score:** 9.8 (Critical - estimated based on impact)
- **CWE:** CWE-93 (Improper Neutralization of CRLF Sequences / 'CRLF Injection')
## Affected Systems
- **Products:** cPanel, WHM (Web Host Manager), and WP Squared.
- **Versions:** Affected releases include all versions after 11.40, specifically:
- cPanel/WHM: 11.110.0, 11.118.0, 11.126.0, 11.132.0, 11.134.0, 11.136.0
- WP Squared: 11.136.1
- **Configurations:** Systems with `cpsrvd` or `cpdavd` services exposed to the network.
## Vulnerability Description
The flaw stems from a Carriage Return Line Feed (CRLF) injection vulnerability in the login and session loading processes. Specifically, user-controlled input from the HTTP **Authorization header** is written directly into server-side session files before authentication occurs and without proper sanitization. By injecting CRLF sequences, an attacker can manipulate the session file structure to bypass password validation and log into the system as an authenticated user.
## Exploitation
- **Status:** Exploited in the wild (Zero-day activity observed since February 23, 2026).
- **Complexity:** Low
- **Attack Vector:** Network
- **PoC Available:** Yes (Technical analysis and exploit methodology published by watchTowr).
## Impact
- **Confidentiality:** Total (Full access to configurations, databases, and managed websites).
- **Integrity:** Total (Ability to modify any data or system settings).
- **Availability:** Total (Ability to shut down services or delete data).
## Remediation
### Patches
Update to the following versions or higher:
- **cPanel/WHM:** 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5
- **WP Squared:** 11.136.1.7
*Note: The vendor strongly recommends restarting the 'cpsrvd' service immediately after installation.*
### Workarounds
- Block external access to ports 2083, 2087, 2095, and 2096.
- Stop the `cpsrvd` and `cpdavd` internal core services if patching is not possible.
## Detection
- **Indicators of Compromise:** Use the official cPanel-provided detection script to check for compromise.
- **Detection Tools:**
- **watchTowr Detection Artifact Generator:** Available at `github[.]com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py`.
- **Response:** If indicators are found, purge all active sessions, reset all user credentials, audit system logs for unauthorized changes, and inspect for persistent backdoors.
## References
- **Vendor Advisory:** `hxxp://support[.]cpanel[.]net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026`
- **Rapid7 Analysis:** `hxxps://www[.]rapid7[.]com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass/`
- **BleepingComputer News:** `hxxps://www[.]bleepingcomputer[.]com/news/security/critical-cpanel-and-whm-bug-exploited-as-a-zero-day-poc-now-available/`