https://feed.craftedsignal.io/products/cpanel--whm/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 30 Apr 2026 12:16:14 +0000https://feed.craftedsignal.io/briefs/2026-05-cpanel-auth-bypass/Thu, 30 Apr 2026 12:16:14 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cpanel-auth-bypass/CVE-2026-41940 is a critical authentication bypass vulnerability in cPanel & WHM, allowing unauthenticated remote attackers to gain administrative access by manipulating session data.A critical authentication bypass vulnerability, CVE-2026-41940, affects all versions of cPanel & WHM. This vulnerability allows unauthenticated remote attackers to gain administrative access to affected systems due to improper handling of session data. Public technical analyses and proof-of-concept code are available, significantly lowering the barrier to exploitation. There are indications that the vulnerability has been actively exploited in the wild, potentially as a zero-day. cPanel & WHM is commonly exposed to the internet and manages hosting environments, making it an attractive target for attackers seeking control over hosting infrastructures and numerous websites.

Attack Chain

1. An unauthenticated attacker identifies a cPanel & WHM server exposed to the internet.
2. The attacker crafts a malicious HTTP request targeting the cPanel & WHM login endpoint.
3. The crafted request manipulates session creation and processing by injecting controlled data into the session files.
4. This injected data alters authentication-related attributes within the session, bypassing the normal authentication flow.
5. The attacker successfully establishes a session that is treated as fully authenticated without providing valid credentials.
6. With administrative privileges, the attacker gains full control over the cPanel server.
7. The attacker accesses hosted websites and databases, potentially compromising sensitive data.
8. The attacker establishes persistence through backdoors or additional user accounts, ensuring continued access to the compromised system.

Impact

Successful exploitation of CVE-2026-41940 allows attackers to gain complete control over cPanel & WHM servers. This can lead to the compromise of hosted websites, databases, and sensitive customer data. Given the central role of cPanel in hosting environments, this vulnerability can result in large-scale compromise affecting multiple customers and services. The widespread use of cPanel & WHM makes this a high-impact vulnerability.

Recommendation

• Apply the security patch provided by cPanel to address CVE-2026-41940 immediately after thorough testing to prevent exploitation.
• Implement increased monitoring and detection capabilities to identify suspicious activity related to CVE-2026-41940 as recommended by CCB.
• Review web server logs for unusual patterns or requests targeting cPanel login endpoints to detect potential exploitation attempts. Create a Sigma rule based on webserver logs.
• Monitor for unauthorized changes to user accounts or the creation of new administrative accounts on cPanel servers. Create a Sigma rule based on process creation logs.

]]>criticalthreatauthentication bypasscPanelweb hostingvulnerabilityhttps://feed.craftedsignal.io/briefs/2024-01-cpanel-auth-bypass/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-cpanel-auth-bypass/CVE-2026-41940 is an authentication bypass vulnerability in WebPros cPanel & WHM and WP2 (WordPress Squared) that allows unauthenticated remote attackers to gain unauthorized access to the control panel.WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) are affected by an authentication bypass vulnerability, identified as CVE-2026-41940. This flaw exists within the login flow, potentially granting unauthenticated remote attackers unauthorized access to the control panel. Successful exploitation allows attackers to bypass normal authentication mechanisms and directly access sensitive administrative functions within cPanel & WHM and WP2. Defenders should apply vendor-provided mitigations or discontinue use of the product if mitigations are not available. The vulnerability was disclosed in April 2026, and mitigations should be applied by May 3, 2026.

Attack Chain

1. The attacker identifies a vulnerable cPanel & WHM or WP2 instance.
2. The attacker crafts a malicious HTTP request exploiting the authentication bypass vulnerability in the login flow.
3. The request is sent to the target server, bypassing authentication checks.
4. The server incorrectly processes the request, granting the attacker an authenticated session.
5. The attacker leverages the authenticated session to access administrative interfaces and settings.
6. The attacker modifies server configurations, potentially creating new administrative accounts.
7. The attacker installs malicious plugins or software through the control panel.
8. The attacker achieves full control over the web server and hosted websites.

Impact

Successful exploitation of CVE-2026-41940 can lead to complete compromise of the affected cPanel & WHM or WP2 server. This can result in data breaches, website defacement, malware distribution, and denial-of-service attacks. The impact is significant due to the widespread use of cPanel & WHM in web hosting environments. Compromised servers could be leveraged for further attacks against other systems and networks.

Recommendation

• Apply mitigations provided by WebPros as detailed in their security update advisory to address CVE-2026-41940.
• Deploy the Sigma rule “Detect cPanel/WHM Authentication Bypass Attempt” to identify potential exploitation attempts in web server logs.
• If mitigations cannot be immediately applied, follow BOD 22-01 guidance for cloud services, potentially isolating the affected system until patched.
• Consider discontinuing use of the affected product if patches or mitigations are unavailable, as advised in the original CISA KEV entry.

]]>criticaladvisorycpanelwhmwp2wordpressauthentication-bypasscve-2026-41940initial-access