Critical cPanel flaw exposes millions of servers to takeover risk

Bug already seems to have been exploited

A critical security vulnerability affecting widely used web hosting software cPanel has prompted urgent calls for administrators to update their systems, amid reports of active exploitation.

The flaw, identified as CVE-2026-41940, impacts both cPanel & WHM and WP Squared products developed by cPanel.

It has been assigned a severity rating of 9.8 out of 10, indicating a near-maximum level of risk.

In a brief advisory, the company described the issue as relating to "session loading and saving". However, security researchers say the implications are far more serious.

According to analysis from cybersecurity firm Rapid7, the vulnerability allows unauthenticated attackers to bypass login protections and gain administrative access to affected systems.

Successful exploitation could give attackers control over server configurations, databases, and the websites hosted on them.

cPanel & WHM software is widely used to manage web servers, with WHM providing root-level administrative control and cPanel acting as the user interface. Its popularity means the potential impact is extensive.

A basic internet scan suggests the scale of exposure could be significant. Rapid7 estimates that around 1.5 million instances of cPanel are accessible online and may be vulnerable.

Separate findings shared by Eye Security suggest the number of exposed systems could exceed two million, though it remains unclear how many have already applied updates.

Exploitation in the wild

There are also growing concerns that attackers may have been exploiting the flaw before it was publicly disclosed.

Hosting provider KnownHost said it has observed signs of active attacks, with some indications that targeted exploitation may have begun as early as February.

Further accelerating the risk, security researchers at watchTowr have published technical details and proof-of-concept code demonstrating how the flaw can be exploited.

Experts say this makes widespread attacks increasingly likely.

Technical details

At the heart of the issue is a technical weakness known as a CRLF injection (Carriage Return Line Feed), affecting how cPanel processes login sessions. By manipulating a session cookie and injecting specially crafted characters, an attacker can create a forged session file that grants administrative privileges.

Security specialists warn that the vulnerability is particularly dangerous because affected systems are exposed "by default", meaning no special configuration is required for exploitation.

Dan Andrew, head of security at Intruder, said the publication of exploit details significantly raises the threat level.

"Full explanation of the exploit path has been published, so we should expect widespread exploitation soon," he said.

"What makes matters worse is that every version of cPanel is affected until you've applied the patch."

He added that the impact could rival or exceed major vulnerabilities seen in recent years.

Mitigation efforts

Mitigation efforts are now focused on patching. cPanel has released updated versions addressing the issue and is urging all users to upgrade immediately.

While some hosting providers have temporarily blocked access to key service ports, experts caution that such measures are only short-term solutions.

There is, however, a limited mitigating factor. Many cPanel installations are configured to update automatically, which may reduce the window of opportunity for attackers.

Even so, security experts stress that organisations should not assume they are protected.

"If your server is not running a supported version of cPanel that is eligible for this update, it is highly recommended that you work toward updating your server as soon as possible, as it may also be affected," cPanel said in its advisory.

With exploit tools now publicly available and millions of systems potentially exposed, the coming days are expected to be critical in determining the scale of the fallout.