A critical vulnerability known as CVE-2026-41940 has emerged in cPanel & WHM, compromising over 44,000 servers worldwide. This security flaw, identified by the moniker cPanelSniper, allows attackers to bypass authentication, granting unauthorized root access to servers. The vulnerability is due to improper handling of session data during the login process, where an attacker can manipulate session files to gain full control without valid credentials. cPanel disclosed the vulnerability on April 28, 2026, and quickly issued emergency patches. Despite these efforts, exploitation began as early as February 2026, leading to widespread server compromises. The PoC exploit released by security researcher Mitsec enables automated attacks, significantly increasing the risk to server administrators. The Shadowserver Foundation has reported extensive scanning and exploitation activity, underscoring the urgency for immediate defensive actions.
All versions of cPanel & WHM after 11.40 and WP Squared v136.1.7 are affected, with a CVSS score of 9.8 indicating the severity. Attackers have used the exploit to deploy ransomware, deface websites, and recruit botnets. With around 650,000 internet-facing cPanel/WHM instances and 1.5 million potentially vulnerable systems identified, the scale of the threat is substantial. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, emphasizing the critical need for remediation.
Administrators are advised to update their systems using the provided emergency patches and take additional security measures. This includes restarting specific services and auditing session directories for unauthorized entries. Blocking specific cPanel ports at the firewall and rotating administrative credentials are recommended actions to protect against ongoing attacks.


