CRITICAL: cPanel WHM Authentication Bypass CVE-2026-41940 Exploited for Two Months Before Patch

If you run a hosting business, an MSP that touches shared hosting, or even a single reseller account on someone else's box, today is one of those days where you should physically check the patch level before you finish reading this sentence. cPanel and WHM, the control panel that quietly runs an estimated 70 million domains worldwide, has been bleeding root for roughly two months. The patch landed on April 28, 2026. The exploitation started around February 23, 2026. You do the math.

The vulnerability is CVE-2026-41940, a 9.8 on the CVSS scale, and it is exactly the kind of finding that makes hosting providers cancel their weekend plans. An unauthenticated remote attacker can bypass cPanel and WHM authentication entirely and walk in as root. No credentials, no second factor, no clever phishing. Just a malformed HTTP request and a stolen control panel. Rapid7, watchTowr Labs, Cato Networks, and a handful of others have all confirmed in-the-wild exploitation that predates the public advisory by roughly eight weeks, which means the bad guys had a long, quiet head start while everyone else found out from a CVE bulletin.

The technical mechanism is one of those bugs that makes you wince because it is almost embarrassingly simple. The vulnerability lives in cPanel's session handling code and reduces to a classic CRLF injection. When the server processes an HTTP Authorization Basic header, the password field is barely sanitized. Null bytes get stripped, but carriage return and line feed characters survive. Those characters reach the saveSession routine, which writes the session to disk without encoding. So far so unfortunate. The exploit becomes catastrophic because of how cPanel decides whether to encrypt the session payload at all.

The whostmgrsession cookie is supposed to carry two pieces, a session name and a hex token separated by a comma. With the hex token present, the encoder kicks in and encrypts everything. Strip the comma and the token, leave only the session name, and the encoder politely skips encryption and writes your password field straight to the session file as plaintext. Combine that with the surviving carriage return and line feed bytes, and an attacker can inject arbitrary session fields by sending a Basic auth header that decodes to something like root colon x newline hasroot equals 1 newline tfa_verified equals 1 newline user equals root. The session file now contains those properties as legitimate top-level keys.

There is a final step that turns this from an interesting parlor trick into total compromise. Once the malicious session is written to /var/cpanel/sessions/raw/, the attacker requests a URL that lacks the proper security token. This trips the do_token_denied error path, which calls Cpanel::Session::Modify, which obligingly reads the raw file and writes a parsed version to the JSON cache at /var/cpanel/sessions/cache/. Now the injected fields are first-class session attributes. The next request loads from the cache, finds successful_internal_auth_with_timestamp already set, and skips password validation inside check_authok_user. The attacker is now authenticated as root with two-factor verification flagged complete. Game over.

Affected versions are essentially all currently supported cPanel and WHM releases. The patched builds are 11.110.0.97 for the 110 branch, 11.118.0.63 for 118, 11.126.0.54 for 126, 11.132.0.29 for 132, 11.134.0.20 for 134, and 11.136.0.5 for 136. WP Squared customers need to be on 136.1.7. If your server is on any prior patch level within those branches, assume it was reachable from the internet and assume it has been probed. According to research published this week, more than 2,000 attacker source IPs have been hammering exposed control panels, with the bulk of traffic originating from Germany, the United States, Brazil, and the Netherlands. The campaign is not subtle. It is the kind of automated, large-scale spray that sweeps the entire IPv4 space looking for ports 2087, 2083, and 2086.

The post-exploitation payload is where things get worse. A threat actor tracked as Mr_Rot13, who has been operating in some form since at least October 2020 based on command-and-control domain registration data, is dropping a Go-based cross-platform backdoor on compromised hosts. The dropper is a shell script that pulls down the binary from infrastructure controlled by the operator. The backdoor itself runs on Linux, macOS, and Windows and gives the attacker file management capabilities, remote command execution, and a full interactive shell. In a cPanel context, that means the attacker has not just admin of the control panel but the underlying Linux box, which in turn hosts dozens or hundreds of customer websites, databases, mail spools, and SSL keys. The lateral damage potential is enormous because cPanel servers are usually multi-tenant by design.

What does exploitation look like in your logs? The honest answer is that without specific detection rules tuned for this CVE, it can look like noise. The attacker hits the WHM login endpoint, gets back a session cookie, then immediately replays with a malformed cookie and a base64-encoded Basic auth header containing newline characters. Inspect your access logs around the WHM port for unusual Authorization headers, requests with truncated whostmgrsession cookies that lack the expected comma-separated hex segment, and any successful root-context activity that does not trace back to a normal login flow. Check /var/cpanel/sessions/raw/ for files containing unexpected key-value pairs like hasroot or tfa_verified being set when the original session never authenticated through the proper code path. The watchTowr Labs writeup ships with a proof-of-concept that has been circulating since disclosure, so any half-competent attacker has working exploit code by now.

For incident response, assume root-level compromise on any unpatched host. That means rebuilding from known-good backups, not just patching in place, because the Mr_Rot13 backdoor is designed to persist outside the cPanel application surface. Rotate every credential, API token, and SSH key associated with the box. Audit cron entries, systemd units, /etc/rc.local style autostarts, and any unfamiliar binaries in /tmp, /var/tmp, /dev/shm, and user home directories. Check outbound network connections for traffic to the documented C2 infrastructure. CISA has not yet added this to the Known Exploited Vulnerabilities catalog as of this morning, but given the pace of the campaign and the federal hosting footprint that runs on cPanel, expect that to change within days. Belgian CERT and several European CSIRTs have already issued patch-now advisories.

The mitigation story is simple in concept and painful in practice. Patch immediately, then assume breach for any system that was exposed and unpatched between late February and today. Restrict WHM access to a trusted management network or a VPN whenever feasible, because there is almost no defensible reason to leave port 2087 open to the entire internet in 2026. Enable two-factor authentication on every WHM and cPanel account, recognizing that this particular exploit forges the two-factor verification flag inside the session, so 2FA is a defense in depth measure here rather than a silver bullet. Move administrative interfaces behind a reverse proxy that performs strict header sanitization, which would have neutralized the CRLF injection at the front door before it ever touched cPanel.

For MSPs, this is one of those moments where the conversation with a hosting client basically writes itself. Anyone running cPanel for resale, web design clients, or hosted applications needs an emergency patch sweep today, a forensic check on every server that was exposed during the window, and probably a managed patching subscription so this does not happen again at the next zero-day. There is also a tidy upsell into managed WAF, network segmentation around control panel interfaces, and threat-hunting retainers for clients who suddenly realize their hosting stack has been quietly running with the door unlocked for two months. If you are not already in the dark web monitoring business, this is the week to start, because compromised cPanel credentials and root shells are about to flood the usual marketplaces.

Drop everything and patch this now. The exploitation window is wide open, the proof-of-concept is public, and the attackers are not slowing down. If you find yourself two months late to the party, the right move is to assume the bad guys got there first and respond accordingly. That is less fun than patching, but it is a lot more fun than explaining to a customer why their website is hosting a Go binary that talks to a server in Moldova.