cPanel & WHM Authentication Bypass

Byadmblake May 26, 2026

What is the Vulnerability? CVE-2026-41940 is a critical authentication bypass vulnerability affecting WebPros cPanel & WHM, DNSOnly, and WP Squared installations. The vulnerability stems from improper handling of CRLF injection during the login and session-loading process, enabling attackers to forge authenticated sessions and gain unauthorized administrative access. Successful exploitation may allow remote unauthenticated attackers to…

What is the Vulnerability?

CVE-2026-41940 is a critical authentication bypass vulnerability affecting WebPros cPanel & WHM, DNSOnly, and WP Squared installations. The vulnerability stems from improper handling of CRLF injection during the login and session-loading process, enabling attackers to forge authenticated sessions and gain unauthorized administrative access.

Successful exploitation may allow remote unauthenticated attackers to obtain full administrative control of vulnerable hosting environments, potentially leading to website compromise, credential theft, web shell deployment, malicious configuration changes, and persistent access.

CISA added CVE-2026-41940 to the Known Exploited Vulnerabilities (KEV) Catalog on April 30, 2026 due to evidence of active exploitation in the wild, with public proof-of-concept exploit code already available.

What is the recommended Mitigation?

• Affected versions include cPanel & WHM releases prior to:

11.110.0.97

11.118.0.63

11.126.0.54

11.132.0.29

11.134.0.20

11.136.0.5

Organizations should immediately:

• Upgrade to vendor-fixed releases

• Restrict exposure of WHM administrative interfaces

• Review session directories and authentication logs

• Rotate administrative credentials

• Hunt for suspicious session creation activity

What FortiGuard Coverage is available?

• FortiGuard Intrusion Prevention System (IPS) Service: FortiGuard IPS Service provides coverage to detect and block exploitation attempts targeting CVE-2026-41940, including malicious authentication bypass attempts against vulnerable cPanel & WHM deployments.

• FortiGuard Antivirus & Behavior Detection: Protects against malicious payloads and post-exploitation activity associated with compromised cPanel environments, including detection of suspicious administrative session creation, web shell deployment, unauthorized privilege escalation, and abnormal process execution originating from exploited hosting infrastructure.

• FortiGuard Web Application Firewall (WAF): FortiGuard WAF provides protection against authentication bypass attempts, malicious HTTP requests, CRLF injection abuse, and suspicious session manipulation targeting vulnerable cPanel & WHM services.

• FortiGuard Web Filtering: Blocks access to known malicious domains, attacker-controlled infrastructure, and command-and-control servers associated with exploitation campaigns targeting exposed cPanel administrative interfaces.

• FortiGuard Incident Response: Organizations that suspect compromise or unauthorized administrative access involving CVE-2026-41940 should engage FortiGuard Incident Response for rapid investigation, persistence analysis, credential exposure assessment, containment, and remediation.

• FortiGuard Labs Threat Intelligence: FortiGuard Labs continues to monitor active exploitation activity, emerging indicators of compromise, attacker infrastructure, and evolving tactics associated with CVE-2026-41940 to provide timely protections and actionable intelligence updates.

cPanel & WHM Authentication Bypass

‘TruffleNet’ Attack Wields Stolen Credentials Against AWS

Malicious Npm Packages Abuse Adspect Cloaking in Crypto Scam

Prep is Underway, But 2026 FIFA World Cup Poses Significant Cyber Challenges

Thailand Targets Cyber Sweatshops to Free 1,000s of Captives

⚡ Weekly Recap: VPN 0-Day, Encryption Backdoor, AI Malware, macOS Flaw, ATM Hack & More

CISA Warns: Old DNS Trick ‘Fast Flux’ Is Still Thriving

Related