Executive Summary
A critical missing authentication vulnerability (CVE-2026-41940) has been identified in WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared), the industry-standard web hosting control panel software deployed across millions of shared hosting environments globally. The flaw exists in the login flow and allows unauthenticated remote attackers to bypass authentication entirely and gain unauthorized access to the control panel.
The vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. Hosting providers and server administrators running affected versions of cPanel, WHM, or WP2 must apply the emergency patch immediately.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-41940 |
| Severity | Critical |
| CWE | CWE-306 — Missing Authentication for Critical Function |
| Type | Authentication Bypass / Unauthorized Access |
| Attack Vector | Network |
| Privileges Required | None (unauthenticated) |
| User Interaction | None |
| CISA KEV | Yes — actively exploited |
| Patch Available | Yes |
Affected Products
| Product | Vendor | Status |
|---|---|---|
| cPanel & WHM | WebPros | Vulnerable — patch available |
| WP2 (WordPress Squared) | WebPros | Vulnerable — patch available |
Technical Analysis
Root Cause
CVE-2026-41940 is classified as CWE-306: Missing Authentication for Critical Function. The vulnerability exists in the login flow of cPanel & WHM and WP2, where a critical function path fails to enforce proper authentication checks before granting access to the control panel interface.
An unauthenticated attacker can send a crafted request to the affected login endpoint, causing the application to bypass its own authentication logic and grant access without requiring valid credentials.
Attack Flow
1. Attacker identifies a target running vulnerable cPanel/WHM/WP2
2. Attacker crafts malicious HTTP request to the cPanel login endpoint
3. Authentication check is bypassed due to missing validation in the login flow
4. Attacker receives an authenticated session for the control panel
5. Full control panel access achieved — no credentials required
6. Attacker can access, modify, or destroy all hosted accounts on the serverExploitation Conditions
- Target must be running a vulnerable version of cPanel & WHM or WP2
- No prior authentication, credentials, or account required
- Network access to the cPanel/WHM port (typically TCP 2083, 2087) is sufficient
- Exploitation is confirmed in-the-wild per CISA KEV designation
Impact Assessment
| Impact Area | Description |
|---|---|
| Full Control Panel Access | Attacker gains admin-level access to the hosting control panel |
| All Hosted Accounts at Risk | Every account on a shared server is exposed simultaneously |
| File System Access | Read, write, delete any file across hosted accounts |
| Database Compromise | Access to all MySQL/MariaDB databases on the server |
| Email Exfiltration | All hosted mailboxes and email data accessible |
| Backdoor Installation | Attacker can install webshells or modify site code |
| Lateral Movement | Compromised server can be used to pivot into adjacent infrastructure |
| Credential Theft | cPanel account passwords, FTP credentials, API keys all accessible |
For managed hosting providers, a single vulnerable cPanel server exposes every customer account on that instance simultaneously, making this a catastrophic multi-tenant risk.
Immediate Remediation
Step 1: Apply the Emergency Update
# Update cPanel/WHM to the patched version via upcp
/usr/local/cpanel/scripts/upcp --force
# Verify the installed version
/usr/local/cpanel/cpanel -V
# For tier-based update channels, ensure automatic updates are enabled
whmapi1 set_tweaksetting key=cpanel_updates value=dailyAlternatively, update via the WHM interface: WHM > cPanel > Upgrade to Latest Version.
Step 2: Restrict Control Panel Access
# Restrict cPanel/WHM ports to trusted management IPs only
# Block external access to ports 2083 and 2087 at the firewall
iptables -I INPUT -p tcp --dport 2087 ! -s <trusted_mgmt_ip> -j DROP
iptables -I INPUT -p tcp --dport 2083 ! -s <trusted_mgmt_ip> -j DROPStep 3: Audit for Compromise
# Review recent cPanel access logs for anomalous authentication events
grep -i "success" /usr/local/cpanel/logs/access_log | tail -500
# Check for unexpected file changes across all accounts
find /home/*/public_html -name "*.php" -newer /tmp/baseline_date -type f 2>/dev/null
# List recently created cPanel accounts
whmapi1 listaccts | grep -E "creation_date|user"
# Search for obfuscated PHP files (common webshell indicator)
grep -rn "base64_decode" /home/*/public_html/ 2>/dev/null | head -50Step 4: Rotate All Credentials
# Force password changes for all cPanel accounts
for user in $(whmapi1 listaccts | grep user | awk -F: '{print $2}' | tr -d ' "'); do
whmapi1 passwd user="$user" password="$(openssl rand -base64 24)" db_pass_update=1
doneDetection Indicators
| Indicator | Description |
|---|---|
| Unauthenticated requests to cPanel login endpoints | Exploitation attempt in web logs |
| New cPanel accounts created without corresponding billing events | Attacker-created persistence |
| Unexpected PHP files in public_html directories | Webshell installation |
| Outbound connections from web processes to unusual IPs | Post-compromise C2 activity |
| Unusual file modifications across multiple hosted accounts simultaneously | Mass exploitation |
| Access log entries with no corresponding password authentication | Exploitation artifact |
Post-Remediation Checklist
- Patch immediately — Apply the cPanel/WHM emergency update via
/usr/local/cpanel/scripts/upcp --force - Verify patch — Confirm updated version number resolves CVE-2026-41940
- Restrict access — Firewall cPanel/WHM ports (2083, 2087) to trusted management IPs only
- Audit all accounts — Review for unauthorized accounts, file modifications, and webshells
- Rotate all credentials — Force password resets for all cPanel, WHM, FTP, and database accounts
- Invalidate API tokens — Regenerate all cPanel and WHM API tokens
- Enable 2FA — Enforce two-factor authentication on all control panel accounts
- Review access logs — Examine logs from at least late February 2026 onward for exploitation artifacts
- Notify customers — Inform hosted customers of the incident and any potential data exposure
- Monitor for re-exploitation — Set up alerts for anomalous control panel authentication events