๐Ÿ”ด CVE-2026-41940

Critical authentication bypass vulnerability in cPanel and WHM control panels allowing unauthenticated remote attackers to gain unauthorized access. These web hosting management platforms are almost universally internet-facing by design and widely exploited in the wild.

โ† Back to Overview
HIGH_RISK
Risk Level
9.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 โ€” Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
Yes (+5d)
Ransomware

๐Ÿ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2026-04-29

Added to CISA KEV: 2026-04-30 1 DAY BETWEEN CVE AND KEV

๐ŸŽฏ Recommendations:

๐Ÿ” Web Intelligence (Kagi ยท 2026-04-30)

CVE-2026-41940 is a critical authentication bypass vulnerability affecting cPanel and WHM, which are widely used control panels for managing web hosting accounts. This vulnerability has been actively exploited in the wild, with evidence suggesting exploitation may have begun as early as February 23, 2026, prior to its public disclosure [1]. Key details regarding CVE-2026-41940 exploitation include:
  • Internet-Facing Applications/Services: The vulnerability affects cPanel and WHM, which are typically internet-facing services used for web hosting management. A Shodan query indicated approximately 1.5 million cPanel instances exposed to the internet that could be vulnerable [1].
  • Evidence of Active Exploitation: Yes, there is clear evidence of active exploitation in the wild [1][3]. Some reports suggest it was exploited as a zero-day vulnerability for months before a patch was released [5].
  • Attack Vectors and Exploitation Methods: The vulnerability lies within the login flow of cPanel and WHM. It allows unauthenticated remote attackers to bypass authentication checks (CWE-306) and gain control of the management console [2][4]. Successful exploitation grants attackers control over the host system, its configurations, databases, and managed websites [1]. A proof-of-concept exploit has been published [1].
  • Targeted Attacks: While not explicitly stated as exclusively targeted, the nature of exploiting a control panel suggests potential for targeted attacks against hosting providers or their clients. The speculation of "targeted zero-day exploitation" points towards sophisticated actors [1].
  • CISA Known Exploited Vulnerabilities (KEV) Status: CVE-2026-41940 has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog [3]. This addition is based on evidence of active exploitation.
  • Technical Details about Internet Exploitability: The vulnerability is an authentication bypass flaw in the login flow [2][4]. It allows attackers to gain privileged access without valid credentials, impacting the confidentiality, integrity, and availability of hosted services [2]. The affected versions are those after cPanel and WHM 11.40 [4].

Sources

  1. CVE-2026-41940: cPanel & WHM Authentication Bypass

    Vulnerabilities and Exploits. CVE-2026-41940: cPanel & WHM Authentication Bypass.WHM provides root-level administration, while cPanel acts as the user-facing interface. Successful exploitation of CVE-2026-41940 grants an attacker control over the cPanel host system, its configurations and databases,โ€ฆ

  2. CVE-2026-41940 - Vulnerability Details - OpenCVE

    An authentication bypass flaw in the cPanel and WHM login flow allows an unauthenticated remote attacker to gain control of the management console. The vulnerability exploits improper authentication checks (CWE-306), enabling attackers to obtain privileged access without valid credentials, thereby tโ€ฆ

  3. CISA Adds Two Known Exploited Vulnerabilities to Catalog

    CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

  4. CVE-2026-41940 Detail - NVD

    cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote ...

  5. cPanel zero-day exploited for months before patch release (CVE-2026-41940)

    A critical vulnerability (CVE-2026-41940) in the cPanel control panel for managing web hosting accounts, is being exploited by attackers.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

๐Ÿ“„ Download JSON Data | ๐Ÿ“ก RSS Feed