CYBERSECURITY | ZERO-DAY | ACTIVE EXPLOITATION | CISA KEV
| ⚠ CRITICAL ZERO-DAY — PATCH IMMEDIATELY OR BLOCK PORTS 2083/2087 CVE-2026-41940 is a CVSS 9.8 authentication bypass in cPanel & WHM that has been exploited as a zero-day since February 2026. It is now in CISA’s KEV catalog. Proof-of-concept code is publicly available. A ransomware campaign is actively targeting unpatched servers. If you manage a cPanel/WHM server, patch immediately or block TCP ports 2083, 2087, 2095, and 2096 from external access right now. |
A critical authentication bypass in cPanel and WHM — the server management software underpinning an estimated 70 million domains — was silently exploited as a zero-day for over two months before anyone publicly knew it existed. Now it is patched. The PoC is public. A ransomware gang is already weaponising it. And tens of thousands of servers may still be unpatched.
| 70M+ Domains underpinned by cPanel/WHM globally | 9.8 CVSS critical severity score | 65 days Zero-day exploitation window before public disclosure |
The security community has a darkly ironic phrase for the worst category of vulnerability: a “skeleton key.” It describes a flaw that does not just open one door — it opens every door simultaneously, to anyone who knows how to use it, regardless of whatever locks were installed to keep them out. CVE-2026-41940 is a skeleton key. And for at least sixty-five days before the world knew it existed, attackers were already using it.
On April 28, 2026, cPanel disclosed CVE-2026-41940 — a critical, CVSS 9.8 authentication bypass vulnerability in cPanel and WebHost Manager (WHM), the server management software that underpins an estimated 70 million domains and sits on servers housing banks, healthcare organisations, small businesses, and individual websites around the world. The flaw allows an unauthenticated attacker to log in as root — the highest-privilege administrative account — without supplying any valid credentials. From there, the attacker has unrestricted access to every website, database, email account, and configuration file on the server.
The disclosure itself was dramatic enough. What followed made it worse: KnownHost, a hosting provider that uses cPanel, confirmed that the vulnerability had been used as a zero-day since at least February 23, 2026 — meaning attackers had been silently compromising cPanel servers for 65 days before any patch existed or any warning was issued. Within 48 hours of the patch’s release, proof-of-concept exploit code became publicly available. Within 72 hours, a ransomware operation called “Sorry” was mass-exploiting it against unpatched servers. And the United States Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog, mandating that all federal civilian agencies patch by May 3, 2026.
Benjamin Harris, CEO of security research firm watchTowr, described what the hosting industry experienced in the hours after disclosure as a collective emergency response: “Within hours of the advisory dropping, nearly every major hosting provider on the planet had firewalled their own customers off their own product. Hosting.com, Namecheap, KnownHost, HostPapa, InMotion and the rest all pulled the emergency brake because the alternative was watching their entire customer base get owned in real-time.”
Vulnerability Profile: CVE-2026-41940 at a Glance
| Field | Details |
| CVE ID | CVE-2026-41940 |
| CVSS Score | 9.8 / 10 — CRITICAL |
| Vulnerability Type | CRLF Injection → Authentication Bypass → Root Access |
| Affected Software | cPanel & WHM (all versions after 11.40), WP Squared |
| Patched Version | Emergency patch released April 28, 2026 |
| CISA KEV | Yes — added to Known Exploited Vulnerabilities catalog |
| FCEB Patch Deadline | May 3, 2026 (US federal agencies) |
| Attack vector | Network — no credentials, no interaction required |
| Impact | Full server takeover, root access, all hosted sites compromised |
| Zero-day period | Actively exploited since at least February 23, 2026 |
| Exposed instances | ~1.5M (Rapid7/Shodan) to ~2M (Eye Security) internet-facing |
| Domains at risk | 70 million+ (cPanel’s estimated global footprint) |
Understanding the Target: What cPanel and WHM Are
For those unfamiliar with web hosting infrastructure, the scale of the cPanel exposure requires some context. cPanel and WHM (WebHost Manager) are two distinct but paired pieces of software that collectively form the control plane for a very large fraction of the commercial internet’s hosting infrastructure.
cPanel is the user-facing interface that individual website owners interact with. It provides a graphical way to manage their website files, databases, email accounts, domain settings, and SSL certificates — all the things a site owner needs without requiring direct command-line access to the underlying server. WHM is the administrative layer above cPanel — it is the interface used by hosting companies to manage entire servers, create and delete customer accounts, set resource limits, and perform server-level configuration changes.
The combination means that WHM has root-level access to everything on the server. Not just one website — every website hosted on that server. Every database. Every email account. Every uploaded file. Every configuration. WHM is, as watchTowr Labs described it in their technical analysis, “the keys to the kingdom, and then the keys to every individual apartment inside the kingdom. If the kingdom was the internet and the apartments were websites.”
cPanel and WHM are used by an estimated 70 million domains globally, according to industry estimates cited by The Register and Security Week. A significant percentage of commercial web hosting worldwide — including major providers like Namecheap, HostGator, InMotion, KnownHost, HostPapa, and thousands of smaller regional hosting companies — runs on cPanel infrastructure. Canada’s national cybersecurity agency specifically noted that successful exploitation could compromise entire shared hosting servers, potentially affecting every customer on a given host machine simultaneously.
How the Bug Works: CRLF Injection to Root in Three Steps
CVE-2026-41940 has been classified as a CRLF injection vulnerability — a category where an application fails to properly sanitize carriage return (\r) and line feed (\n) characters in user-supplied input, allowing those characters to inject new lines into files or headers and manipulate how the application processes the data. In cPanel’s case, the injection point is the login and session management system. The technical mechanism, published by watchTowr Labs and confirmed by Rapid7, can be summarized in three steps:
Step 1: Create a pre-authentication session. Before any credentials are checked, the cPanel service daemon (cpsrvd) writes a new session file to disk when a login attempt is initiated. An attacker performs a deliberate failed login to trigger this file creation, obtaining a valid session cookie — but one that maps to an unauthenticated session.
Step 2: Inject make-root commands via crafted header. The attacker manipulates the whostmgrsession cookie by omitting a specific segment of the cookie value. This omission bypasses the encryption process that cPanel normally applies to user-supplied values. The attacker then sends a request with a specially crafted Authorization header containing CRLF characters and an instruction to change privileges to root. Because the encryption bypass is active, these plaintext instructions are written directly into the session file on disk.
Step 3: Reload the session to authenticate as root. The attacker triggers a reload of the manipulated session file. cPanel reads the injected credentials from the session file and authenticates the attacker’s session as root. The attacker now has full administrative access to WHM — and through WHM, to every site, database, and account on the server — without ever supplying a valid username or password.
The elegance and simplicity of the attack path is what alarmed the security community. It requires no special tools, no complex infrastructure, no prior knowledge of the target’s configuration. It requires only that cPanel be accessible on its standard ports and that the server be running a vulnerable version. TechRadar’s description was apt: “The crux of the vulnerability lies in the attacker forging an authenticated session without requiring a password. This provides the attacker with root level access to WHM, and therefore access to every website, database, and user account hosted on that particular server.”
“Let’s call this what it is: an unauthenticated authentication bypass in cPanel and WHM, a management-plane solution deployed on tens of thousands of servers and sitting in front of a meaningful chunk of the internet.”
— Benjamin Harris, CEO and Founder, watchTowr
The Zero-Day Timeline: 65 Days of Silent Exploitation
The timeline of CVE-2026-41940 is a study in how long a critical vulnerability in widely-deployed infrastructure can remain undetected and unpatched while being actively exploited:
| Date | Event |
| Feb 23, 2026 | KnownHost detects earliest known exploitation attempts — the vulnerability is already being used as a zero-day with no patch in existence |
| ~Mar–Apr 2026 | Exploitation continues silently. Hosting providers have no visibility into the attack vector. No CVE has been assigned. No patch exists. |
| Apr 28, 2026 | cPanel discloses CVE-2026-41940 and releases emergency patch. All cPanel/WHM versions after 11.40 confirmed affected. WP Squared also vulnerable. |
| Apr 28, 2026 | KnownHost, Namecheap, HostGator, HostPapa, InMotion, hosting.com and others block customer access to cPanel ports 2083/2087 while patching. The emergency brake is pulled across the industry simultaneously. |
| Apr 29, 2026 | watchTowr Labs publishes technical analysis of the CRLF injection mechanism. Rapid7 confirms 1.5 million internet-exposed cPanel instances via Shodan. |
| Apr 30, 2026 | CISA adds CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog. FCEB agencies given until May 3 to patch. |
| Apr 30, 2026 | Proof-of-concept (PoC) exploit code becomes publicly available — exploitation risk dramatically increases for unpatched systems. |
| May 1, 2026 | BleepingComputer reports ‘Sorry’ ransomware campaign critically exploiting CVE-2026-41940 against unpatched cPanel servers. |
| May 3, 2026 | CISA federal patch deadline. Estimated millions of sites still running unpatched cPanel versions. |
The 65-day zero-day window is particularly significant from a forensic and damage-assessment perspective. Hosting providers who have not investigated whether their systems were compromised during this period cannot assume they were not. The KnownHost CEO’s Reddit post noted “around 30 servers showed signs of unauthorized attempted access out of thousands of computers on its network” — language that described attempts, not confirmed compromises. Other providers may have experienced successful compromises that have not yet been identified, because forensic investigation of a 65-day window across large server fleets is complex and time-consuming work.
The Hosting Industry Response: Emergency Brakes, Simultaneous Lockdowns
The response from the hosting industry in the hours after cPanel’s April 28 disclosure was, by any standard, extraordinary — and a clear indicator that the people closest to this vulnerability understood immediately how serious it was.
Namecheap, one of the world’s largest domain registrars and hosting providers, applied firewall rules blocking TCP ports 2083 and 2087 — the standard cPanel and WHM ports — for all customers simultaneously. This locked customers out of their own control panels. “Our team is actively monitoring the situation and will apply the official patch across all supported servers as soon as it becomes available,” the company told customers. “Access to your control panels will be restored immediately once the patch has been successfully deployed.” By April 29 at 02:42 UTC, Namecheap reported the fix had been applied to its Reseller, Stellar Business servers, and the remainder of its fleet.
HostGator described its response as treating the vulnerability as a “critical authentication-bypass exploit” — language that signals the company’s incident response teams were treating it at the highest severity level internally. KnownHost CEO Daniel Pearson was the most direct of any hosting provider, posting on Reddit that his company had detected exploitation attempts as early as February 23 and urging other customers to “restrict access and assume systems could already be compromised if left unpatched.” HostPapa, InMotion, and hosting.com all took similar emergency measures.
The coordinated nature of the response — multiple major providers firewalling their own customers simultaneously — is a rare event in the hosting industry and speaks to the severity of the underlying threat. Hosting companies do not lock customers out of their control panels lightly. The business cost in support tickets, angry customers, and reputation damage is significant. The fact that every major provider concluded this was the right response anyway is its own form of evidence about how serious CVE-2026-41940 is.
The Ransomware Escalation: ‘Sorry’ Campaign Targets Unpatched Servers
The transition from “critical zero-day with active exploitation” to “ransomware campaign” is one of the most consistently observed patterns in modern cybersecurity — and it has happened with CVE-2026-41940 faster than most. BleepingComputer reported on May 1, 2026, that a ransomware operation calling itself “Sorry” had begun mass-exploiting CVE-2026-41940 against unpatched cPanel servers, encrypting data and demanding ransom payments for decryption keys.
Ransomware operators specifically target high-impact infrastructure vulnerabilities because shared hosting servers represent extraordinary leverage: a single compromised server holds the data of dozens or hundreds of individual website owners, all of whom may be willing to pay ransom to recover their sites, databases, and email. The economics are significantly more favourable than targeting individual endpoints.
The public availability of proof-of-concept code — which appeared on April 30, just two days after the patch — has dramatically lowered the technical barrier for additional threat actors to join the campaign. A PoC for a CVSS 9.8 authentication bypass in infrastructure used by 70 million domains is among the highest-value pieces of exploit code that can exist in the public domain. Every day that passes without patching is a day that more threat actors are scanning for vulnerable servers and building their own targeting lists.
“cPanel underpins hosting for tens of millions of sites, many run by small outfits that rely on providers to handle security. For them, ‘patch now’ often means ‘wait and hope,’ which is not a great place to be when a near-max severity bug is already being weaponized.”
— The Register, May 1, 2026
How Many Servers Are Exposed? The Numbers Don’t Agree — and That’s the Problem
The difficulty in assessing the precise scope of CVE-2026-41940’s exposure illustrates one of the most persistent challenges in enterprise cybersecurity: the gap between “deployed” and “patched.” Multiple organisations have independently scanned the internet for exposed cPanel instances, and the numbers they found vary considerably:
Rapid7, using the Shodan internet intelligence platform, identified approximately 1.5 million internet-accessible cPanel instances. Eye Security, reporting via LinkedIn, put the number at over 2 million. Both figures represent only the instances directly exposed to the internet — cPanel deployments behind internal networks or VPNs are additional and unscanned. cPanel’s own estimates of its total deployment footprint run to 70 million domains, spread across a much smaller number of individual servers.
The key unknown is how many of those 1.5–2 million internet-facing instances have applied the April 28 patch. cPanel offers an auto-update feature that automatically applies patches — but not all server administrators have it enabled, and not all hosting providers manage their servers through auto-update. Particularly for smaller hosting providers and self-managed servers, the patch adoption rate may lag significantly behind the disclosure date. As The Register noted, for the long tail of small hosting providers that rely on manual update processes, “‘patch now’ often means ‘wait and hope.'”
What to Do Right Now: Prioritised Mitigation Steps
For every server administrator, hosting provider, or website owner whose infrastructure relies on cPanel or WHM, the following prioritised actions are required:
| Priority | Action | Details |
| 🔴 NOW | Patch cPanel | Update to the latest cPanel/WHM release (post April 28, 2026 builds). Restart the cpsrvd service after patching. |
| 🔴 NOW | Block ports | Block external access to TCP ports 2083, 2087, 2095, and 2096. Namecheap’s firewall approach: restrict to known admin IPs only. |
| 🟠 TODAY | Stop cpsrvd | If patching isn’t immediate, stop cpsrvd and cpdavd services to eliminate the attack surface entirely until the patch is applied. |
| 🟠 TODAY | Check for compromise | Review cPanel access logs for authentication from unexpected IPs. Look for session files written to disk before credential entry. |
| 🟠 TODAY | Run watchTowr scan | Use watchTowr Labs’ free Detection Artifact Generator (GitHub) to verify whether your instances are vulnerable. |
| 🟡 SOON | Rotate credentials | If exploitation cannot be ruled out, rotate all WHM/cPanel root passwords, API tokens, and hosted site database credentials. |
| 🟡 SOON | Enable auto-update | cPanel’s auto-update feature was not enabled on many affected servers. Enable TIER=current to receive future emergency patches automatically. |
| 🟢 ONGOING | Monitor KEV | Monitor CISA’s Known Exploited Vulnerabilities catalog (cisa.gov/kev) for future cPanel vulnerabilities. This is not the platform’s first major flaw. |
For website owners hosted on shared servers: you cannot apply the patch yourself — that is your hosting provider’s responsibility. Contact your hosting provider to confirm they have applied the CVE-2026-41940 patch. If your provider has not communicated their patch status and cannot confirm it, consider temporarily migrating critical data until they do. Check whether your provider blocked cPanel ports as an emergency measure, and ask when those ports will be reopened following patch application.
The Bigger Picture: A Warning About Shared Hosting Security
CVE-2026-41940 is being discussed in some security circles as a “generational” vulnerability — one that reveals a structural weakness in how a significant portion of internet infrastructure is managed and secured. The combination of factors that makes it so serious is not unique to this specific flaw: it is endemic to how shared hosting works.
Shared hosting — where multiple website owners’ sites run on the same physical or virtual server — is the dominant model for hosting small and medium-sized websites globally. It is cost-effective and easy to use. Its security model, however, is fundamentally asymmetric: a single vulnerability in the management plane affects every site on the server simultaneously. A small business owner hosting their site on a shared server has made no security choices that could protect them from a flaw in the hosting provider’s cPanel installation. They are entirely dependent on their provider.
Canada’s national cybersecurity agency made this dependency explicit in its CVE-2026-41940 advisory: “Successful exploitation of CVE-2026-41940 could allow an attacker to modify server configurations and potentially compromise all websites on shared hosting servers.” For the hosting industry, that is a sobering read. For the individual website owners who have no idea their hosting infrastructure runs on cPanel, it is the kind of statement that should prompt a direct question to their provider: are you patched?
The Skeleton Key Is Out There — But the Lock Has Been Changed
CVE-2026-41940 is patched. The fix has existed since April 28, 2026, and any server running an updated cPanel build is no longer vulnerable. That is the most important fact in this story — and it is the fact that separates the servers that will be compromised in the weeks ahead from those that will not.
The patch availability does not undo the 65 days of zero-day exploitation that preceded it, and it does not protect the servers that have not yet applied it. The proof-of-concept is public. The ransomware campaign is running. The CISA deadline has passed. For unpatched systems, CVE-2026-41940 is not a theoretical risk — it is an active, weaponised attack vector being used by both opportunistic criminals and more sophisticated threat actors right now.
The lesson for the hosting industry — and for anyone whose online presence depends on shared hosting infrastructure — is that the security of your website is inseparable from the security of the server management software your provider uses, and from how quickly that provider responds when something goes catastrophically wrong. CVE-2026-41940 has tested that response. Most major providers passed — quickly, decisively, at real cost to their own operations. The question for every remaining unpatched server is how much longer it will take to pass the same test.
