Attackers have reportedly been exploiting a critical authentication bypass vulnerability in cPanel for months before a patch was released, raising concerns about widespread unauthorized access across internet-facing hosting infrastructure.
The flaw, tracked as CVE-2026-41940, allows unauthenticated remote attackers to gain administrator-level access to cPanel and WHM systems. Researchers say exploitation activity dates back to at least February 23, well before public disclosure and patch availability on April 28.
cPanel is one of the most widely deployed web hosting control panels, commonly used by hosting providers to manage websites, databases, and server configurations. A successful compromise could grant attackers control over entire hosting environments.
Auth Bypass Lets Attackers Skip Login Entirely
The vulnerability stems from improper handling of session creation before authentication is completed. The cPanel service daemon reportedly writes session data to disk prematurely, allowing attackers to manipulate how sessions are constructed.
By crafting a malicious request, an attacker can inject arbitrary values into the session file, including elevated privileges such as user=root. Once the system reloads that session, the attacker gains administrator-level access without ever providing valid credentials.
This effectively removes authentication as a barrier, making the flaw significantly more dangerous than typical credential-based compromises.
Exploitation Window Raises Disclosure Questions
Researchers indicate that attackers were already exploiting the vulnerability in the wild prior to any public technical disclosure. This suggests the flaw may have been independently discovered or circulated privately before patches became available, similar to Operation TrueChaos zero-day attacks targeting government networks.
Reports suggest the issue may have been disclosed to the vendor roughly two weeks before the advisory was published, though details around the initial report and its handling remain unclear.
WebPros, the company behind cPanel, released a security advisory and patches on April 28. At time of publication, the company had not issued any public statement addressing the reported pre-disclosure exploitation activity.
Mass Scanning Activity Targets Exposed Servers
The scale of exposure is substantial. Estimates suggest approximately 1.5 million cPanel instances are accessible from the internet, though it remains unclear how many were vulnerable at the time exploitation began.
Security monitoring data shows widespread scanning and exploitation attempts, with tens of thousands of unique IP addresses observed probing or attempting to abuse the flaw. This level of activity mirrors large-scale automated exploitation campaigns like the React2Shell attacks.
Hundreds of thousands of systems remain exposed online, increasing the likelihood of opportunistic attacks.
The volume of activity indicates automated scanning and exploitation campaigns rather than isolated or targeted intrusions.
Hosting Providers Rush to Apply Mitigations
Hosting providers moved quickly to contain the risk once the vulnerability became public. Common defensive measures included blocking access to cPanel and WHM ports and deploying patched versions across affected systems.
Recommended mitigations include restricting access to ports 2083, 2087, 2095, and 2096, restarting affected services, and reviewing logs for suspicious activity.
The vulnerability affects cPanel and WHM versions from 11.40 up to 136.0.5 across multiple release branches, with patched versions released in subsequent builds.
While some providers report limited signs of post-exploitation activity beyond initial access attempts, the lack of visibility into attacker actions during the pre-disclosure period leaves uncertainty around potential compromise.
Full Server Control Raises Impact Across Hosted Environments
Successful exploitation of CVE-2026-41940 could allow attackers to take control of hosted websites, databases, and server configurations. In shared hosting environments, this raises the risk of cross-account impact affecting multiple customers on a single server.
With scanning activity ongoing and a large number of exposed systems still online, organizations running cPanel are under pressure to confirm patch status and investigate potential unauthorized access.
