Critical cPanel and WHM bug exploited as a zero-day, PoC now available

Key Points:

• A critical authentication bypass vulnerability (CVE-2026-41940) affecting cPanel, WHM, and WP Squared has been actively exploited since at least late February 2026, with successful attacks observed before a patch was released on April 28.
• The flaw results from a Carriage Return Line Feed (CRLF) injection in cPanel's login and session processes, allowing attackers to bypass password validation and gain control over the host system, configurations, databases, and managed websites.
• Approximately 1.5 million cPanel instances are exposed online, though it is unclear how many are vulnerable; hosting providers like KnownHost and Namecheap have taken protective measures such as blocking relevant ports until patches were available.
• cPanel has issued fixes for multiple affected versions and strongly recommends restarting the ‘cpsrvd’ service after patching; customers unable to patch immediately should block external access to key ports or stop core cPanel services to mitigate risk.
• A detection script is provided by cPanel to identify compromises, and if signs of exploitation are found, users should purge sessions, reset credentials, audit logs, and investigate for persistence mechanisms.