A critical vulnerability in cPanel and WHM, registered as CVE-2026-41940, has been actively exploited since February, two months before a patch was released. The flaw allows attackers to bypass the login screen and gain full administrative access to the server. This grants them total control over hosted data, websites, databases, and emails, compromising the security of thousands of servers.
Technical details of the authentication bypass 🛡️
The flaw lies in a logic error in session handling during authentication. By sending a specially crafted request to the WHM API, the system skips credential verification and grants root privileges. No prior authentication or user interaction is required. The exploit has been shared on cybercrime forums, and analyses show it affects cPanel and WHM versions prior to 110.0.18. The recommendation is to update immediately and review logs for suspicious access.
The good thing about hackers warning before the manufacturer 😅
Attackers had two months to roam servers as if they were legitimate administrators, while cPanel worked on the patch with the urgency of a snail in rush hour. Now, the hosting community discovers that their security depended on no one noticing a hole the size of a truck. Good thing hackers are so considerate that they always warn first, even if it's using your data as a business card.