For several months, a critical vulnerability in the cPanel & WHM (WebHost Manager) platform has been actively exploited, allowing hackers to bypass authentication and gain unauthorized administrative access. Identified as CVE-2026-41940 with a CVSS score of 9.8, the issue affects all versions beyond 11.40. This flaw in the login process enables remote attackers to take control of the system by manipulating session files and injecting specific parameters. According to Rapid7, a successful exploitation could compromise server configurations and potentially all websites hosted on shared servers. Notably, approximately 1.5 million cPanel instances are exposed to this risk. The vulnerability has been in use by attackers since February 2026, as confirmed by KnownHost on Reddit. In response to this threat, hosting providers like KnownHost, HostPapa, InMotion, and Namecheap have restricted access to cPanel & WHM ports to facilitate secure patch deployment. cPanel has issued patches in several versions, including 11.86.0.41 and others, and has provided a detection script to help identify signs of compromise. Administrators are strongly advised to update their servers if they are not running a supported version and use available detection tools to ensure system security.
Critical Vulnerability in cPanel & WHM Exploited for Months
Active exploitation of a critical auth bypass in cPanel/WHM has been observed in the wild for months, enabling unauthorized admin access. Patch and containment efforts are underway.


