Patches Bug of the year (so far): Nasty cPanel vulnerability probably exploited as a 0-day Emergency patches out now for those managing the millions of domains assumed to be affected Connor Jones Thu 30 Apr 2026 // 10:14 UTC Emergency patches are available for a critical vulnerability in cPanel and WHM that allows attackers to bypass authentication and gain root access to servers managed using it. Dev targeted by sophisticated job scam: 'I let my guard down, and ran the freaking code' READ MORE Given that cPanel and WebHost Manager (WHM) control panel help manage properties for 70 million domains, by some estimates, and the critical severity of CVE-2026-41940 (9.8), the vulnerability is being considered a disaster by those in the security scene. It also affects every single supported version of the software prior to the patch . For the uninitiated, cPanel and WHM are both Linux-based control panels. The former is used to manage websites, databases, file transfers, email configurations, and domains, while WHM is used for servers. They are both backbones of the internet. Breaking into them would provide an attacker with unfettered access to all the secrets associated with these functions. Or, as watchTowr put it: "Think of it as the keys to the kingdom, and then the keys to every individual apartment inside the kingdom. If the kingdom were the internet and the apartments were websites. For everything." Perhaps the worst part is that early signals from defenders, such as KnownHost CEO Daniel Pearson , suggest it may have been exploited as a zero-day for at least 30 days. Or maybe worse still is the nature of the vulnerability itself – that attackers can gain root access while bypassing all kinds of authentication – a feat worthy of the near-maximum CVSS. The vulnerability also affects WP Squared , a WordPress hosting platform owned by cPanel. Successfully exploiting CVE-2026-41940, which can be summarized as a carriage return line feed (CRLF) flaw – meaning the application that was attacked does not properly sanitize user-supplied input – involves just a few steps. An attacker creates a session cookie by completing a failed login attempt and then sends a request with a specially crafted header with an instruction to change privileges to root. They can then use that cookie to log into cPanel and WHM as root. Linux cryptographic code flaw offers fast route to root Microsoft's patch for a 0-day exploited by Russian spies fell short. Another Windows flaw is under attack AI's not going to kill open source code security CISA tells feds to patch 13-year-old Apache ActiveMQ bug under active attack In normal scenarios, cPanel would encrypt attacker-supplied values, but in unpatched versions, attackers can remove a hex value and stop this process from running, allowing the plaintext make-me-root commands to pass through like any other trusted code. Above is a high-level, concise summary of the procedure. Those looking for a winding tale of how the experts figured out the attack path, watchTowr published its workflow in its typical tongue-in-cheek style. The prevailing advice is that if you run cPanel and WHM, get patching ASAP. This is a bad one, and given the likelihood of zero-day exploitation, running cPanel's detection script can help defenders understand whether it's just a patch they need, or if it's pull the cables out time. watchTowr also published its own detection artefact generator to help defenders sniff out signs of compromise. ® Share More about Cybersecurity Hosting Patch More like these × More about Cybersecurity Hosting Patch Vulnerability Narrower topics Center for Internet Security Patch Tuesday RSA Conference tsoHost Y2K Zero Day Initiative Zero trust Broader topics 20i Security More about Share POST A COMMENT More about Cybersecurity Hosting Patch More like these × More about Cybersecurity Hosting Patch Vulnerability Narrower topics Center for Internet Security Patch Tuesday RSA Conference tsoHost Y2K Zero Day Initiative Zero trust Broader topics 20i Security TIP US OFF Send us news