Critical cPanel and WHM Bug Exploited as Zero-Day, PoC Now Available

A critical authentication bypass vulnerability in cPanel, WHM, and WP Squared has been confirmed as actively exploited in the wild, with evidence suggesting attacks began as far back as late February 2026 — weeks before the vulnerability was publicly disclosed. A proof-of-concept exploit has since been released, significantly raising the risk for unpatched deployments.

The Vulnerability: CVE-2026-41940

CVE-2026-41940 is an authentication bypass flaw affecting cPanel and WHM, the widely-used web hosting control panel software powering millions of shared hosting environments globally. The vulnerability allows an unauthenticated attacker to bypass authentication controls and gain unauthorized access to the affected system.

WP Squared, a cPanel-affiliated WordPress management product, is also confirmed vulnerable. The combined install base of cPanel, WHM, and WP Squared spans hosting providers across the enterprise and SMB segments, making the vulnerability's real-world impact potentially enormous.

Zero-Day Exploitation Timeline

The bug's exploitation predates its public disclosure, placing it firmly in zero-day territory for the weeks it was leveraged before a patch was available. Threat actors with knowledge of the flaw were actively scanning for and attacking vulnerable cPanel and WHM installations throughout the window between initial exploitation and patch release.

• Late February 2026 — First observed exploitation attempts in the wild
• April 30, 2026 — Public disclosure and patched versions released
• April 30, 2026 — Proof-of-concept exploit code publicly released

The public release of a PoC significantly lowers the bar for exploitation, enabling even less sophisticated attackers to weaponize the flaw. Hosting providers and server administrators running cPanel or WHM are strongly urged to patch immediately.

Impact and Risk

cPanel and WHM are deployed on a vast number of shared hosting servers. Successful exploitation of this authentication bypass could allow an attacker to:

• Access any hosted account on a shared server without valid credentials
• Execute commands with the privileges of the web server or root, depending on configuration
• Modify or delete hosted websites and their underlying files
• Steal credentials, databases, and email data stored on the server
• Install backdoors for persistent access or to serve malware to site visitors
• Move laterally from the compromised hosting server into adjacent infrastructure

For managed hosting providers, a single vulnerable cPanel server can expose all customer accounts on that instance simultaneously.

Affected Versions

cPanel has released an emergency update to address CVE-2026-41940. Administrators should consult the cPanel Security Advisories page for the exact build numbers that include the fix and update via the standard cPanel update mechanism (/usr/local/cpanel/scripts/upcp) or the WHM interface.

WP Squared users should separately verify whether an update is available through the WP Squared management interface.

Recommended Actions

Administrators and hosting providers running cPanel, WHM, or WP Squared should take the following steps immediately:

1. Apply the patch — Run /usr/local/cpanel/scripts/upcp to update to the patched cPanel/WHM build without delay
2. Review access logs — Audit authentication logs for suspicious access patterns dating back to at least late February 2026
3. Check for backdoors — Scan web-accessible directories for unexpected PHP files, web shells, or modified configuration files
4. Rotate credentials — Force password resets for all cPanel accounts on the server and rotate API keys
5. Enable two-factor authentication — Add 2FA to all cPanel, WHM, and FTP accounts as an additional layer of protection
6. Monitor for anomalous traffic — Use ModSecurity or equivalent WAF rules to detect and block exploitation attempts while patching proceeds

Broader Context

Authentication bypass vulnerabilities in widely-deployed hosting control panels are among the most severe class of web hosting flaws. The combination of a large install base, high value of the data hosted, and now a public PoC makes CVE-2026-41940 a high-priority remediation target. Hosting providers operating fleets of cPanel servers should treat this as a P1 incident response item and verify patching status across all managed nodes.

The release of the PoC means automated exploitation frameworks will likely incorporate this flaw within days. The window for safe remediation is closing rapidly.