Emergency patches are available for a critical vulnerability in cPanel and WHM that allows attackers to bypass authentication and gain root access to servers managed using it.
Given that cPanel and WebHost Manager (WHM) control panel help manage properties for 70 million domains, by some estimates, and the critical severity of CVE-2026-41940 (9.8), the vulnerability is being considered a disaster by those in the security scene.
It also affects every single supported version of the software prior to the patch.
For the uninitiated, cPanel and WHM are both Linux-based control panels. The former is used to manage websites, databases, file transfers, email configurations, and domains, while WHM is used for servers.
They are both backbones of the internet. Breaking into them would provide an attacker with unfettered access to all the secrets associated with these functions.
Or, as watchTowr put it: “Think of it as the keys to the kingdom, and then the keys to every individual apartment inside the kingdom. If the kingdom were the internet and the apartments were websites. For everything.”
Perhaps the worst part is that early signals from defenders, such as KnownHost CEO Daniel Pearson, suggest it may have been exploited as a zero-day for at least 30 days.
Or maybe worse still is the nature of the vulnerability itself – that attackers can gain root access while bypassing all kinds of authentication – a feat worthy of the near-maximum CVSS.
The vulnerability also affects WP Squared, a WordPress hosting platform owned by cPanel.
Successfully exploiting CVE-2026-41940, which can be summarized as a carriage return line feed (CRLF) flaw – meaning the application that was attacked does not properly sanitize user-supplied input – involves just a few steps.
An attacker creates a session cookie by completing a failed login attempt and then sends a request with a specially crafted header with an instruction to change privileges to root. They can then use that cookie to log into cPanel and WHM as root.
In normal scenarios, cPanel would encrypt attacker-supplied values, but in unpatched versions, attackers can remove a hex value and stop this process from running, allowing the plaintext make-me-root commands to pass through like any other trusted code.
Above is a high-level, concise summary of the procedure. Those looking for a winding tale of how the experts figured out the attack path, watchTowr published its workflow in its typical tongue-in-cheek style.
The prevailing advice is that if you run cPanel and WHM, get patching ASAP. This is a bad one, and given the likelihood of zero-day exploitation, running cPanel’s detection script can help defenders understand whether it’s just a patch they need, or if it’s pull the cables out time.
watchTowr also published its own detection artefact generator to help defenders sniff out signs of compromise. ®