Critical cPanel Zero-Day CVE-2026-41940 Exploited Since February
A critical authentication bypass vulnerability tracked as CVE-2026-41940 has been actively exploited in the wild for over two months before cPanel released emergency patches on April 30, 2026. The flaw affects cPanel, WHM (Web Host Manager), and WP Squared platforms, allowing attackers to completely bypass authentication mechanisms and gain unauthorized administrative access to web hosting control panels.
Security researchers first detected exploitation attempts in late February 2026, but the vulnerability remained unpatched until today's emergency release. The authentication bypass occurs when the affected software fails to properly validate user credentials during the login process, enabling attackers to access administrative interfaces without providing valid usernames or passwords. SecurityWeek confirmed that multiple threat actors have been leveraging this flaw to compromise hosting environments across different geographic regions.
The vulnerability was discovered through coordinated threat hunting activities that identified suspicious authentication patterns across multiple cPanel installations. Attackers have been exploiting the flaw to gain root-level access to hosting servers, deploy web shells, and establish persistent backdoors for long-term access. The exploitation technique involves sending specially crafted HTTP requests to the authentication endpoint, which triggers the bypass condition and grants immediate administrative privileges.
cPanel's security team worked with external researchers to develop patches after confirming the active exploitation. The company issued emergency updates for all supported versions, including legacy installations that typically receive limited security support. The rapid response came after hosting providers reported unusual administrative activities and unauthorized configuration changes across their cPanel-managed servers.
Widespread Impact Across Web Hosting Infrastructure
The CVE-2026-41940 vulnerability affects all versions of cPanel and WHM released before April 30, 2026, including the current stable releases 118.0.x, 120.0.x, and 122.0.x series. WP Squared installations running versions prior to 4.2.8 are also vulnerable to the same authentication bypass technique. Shared hosting providers, VPS operators, and dedicated server administrators using these platforms face immediate risk of complete server compromise.
The scope of potential impact extends to millions of websites hosted on cPanel-managed servers worldwide. Major hosting providers including GoDaddy, HostGator, and Bluehost have confirmed they're applying emergency patches across their infrastructure. Small to medium-sized hosting companies represent the highest risk category, as many operate with limited security monitoring and may not have detected the ongoing exploitation attempts. The Hacker News reported that over 200,000 cPanel installations have been identified as potentially vulnerable through internet-wide scanning.
Enterprise customers running private cPanel installations face particular risks due to the administrative privileges gained through successful exploitation. Attackers can modify DNS settings, access customer databases, steal SSL certificates, and deploy malicious code across all hosted websites. The authentication bypass also enables attackers to create new administrative accounts, ensuring persistent access even after the initial vulnerability is patched.
Emergency Patching and Immediate Response Required
cPanel released emergency security updates on April 30, 2026, addressing CVE-2026-41940 across all supported product lines. Administrators must immediately update to cPanel & WHM version 118.0.15, 120.0.12, or 122.0.8 depending on their current installation branch. WP Squared users should upgrade to version 4.2.8 or later. The patches implement additional authentication validation checks and modify the login verification process to prevent bypass attempts.
System administrators should immediately check their cPanel access logs for suspicious authentication patterns, particularly successful logins without corresponding password verification entries. Look for HTTP POST requests to /login/ endpoints that result in successful authentication despite missing or invalid credential parameters. The command 'grep -i "authentication bypass" /usr/local/cpanel/logs/access_log' can help identify potential exploitation attempts, though sophisticated attackers may have cleared log entries.
Organizations that cannot immediately apply patches should implement emergency mitigation measures including restricting cPanel access to specific IP addresses through firewall rules, enabling two-factor authentication where available, and monitoring all administrative activities through enhanced logging. Consider temporarily disabling remote cPanel access and requiring VPN connections for administrative tasks. Review all recent administrative account creations and configuration changes made since February 2026 for signs of unauthorized access.
Post-patch verification requires checking for unauthorized administrative accounts, reviewing SSL certificate modifications, and scanning for web shells or backdoors that may have been deployed during the exploitation window. Organizations should also rotate all administrative passwords and API keys, as attackers may have harvested credentials during their unauthorized access. The cPanel security team recommends running integrity checks on all hosted websites and reviewing DNS configurations for unauthorized modifications.
