https://feed.craftedsignal.io/tags/cpanel/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 30 Apr 2026 12:16:14 +0000https://feed.craftedsignal.io/briefs/2026-05-cpanel-auth-bypass/Thu, 30 Apr 2026 12:16:14 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cpanel-auth-bypass/CVE-2026-41940 is a critical authentication bypass vulnerability in cPanel & WHM, allowing unauthenticated remote attackers to gain administrative access by manipulating session data.A critical authentication bypass vulnerability, CVE-2026-41940, affects all versions of cPanel & WHM. This vulnerability allows unauthenticated remote attackers to gain administrative access to affected systems due to improper handling of session data. Public technical analyses and proof-of-concept code are available, significantly lowering the barrier to exploitation. There are indications that the vulnerability has been actively exploited in the wild, potentially as a zero-day. cPanel & WHM is commonly exposed to the internet and manages hosting environments, making it an attractive target for attackers seeking control over hosting infrastructures and numerous websites.

Attack Chain

1. An unauthenticated attacker identifies a cPanel & WHM server exposed to the internet.
2. The attacker crafts a malicious HTTP request targeting the cPanel & WHM login endpoint.
3. The crafted request manipulates session creation and processing by injecting controlled data into the session files.
4. This injected data alters authentication-related attributes within the session, bypassing the normal authentication flow.
5. The attacker successfully establishes a session that is treated as fully authenticated without providing valid credentials.
6. With administrative privileges, the attacker gains full control over the cPanel server.
7. The attacker accesses hosted websites and databases, potentially compromising sensitive data.
8. The attacker establishes persistence through backdoors or additional user accounts, ensuring continued access to the compromised system.

Impact

Successful exploitation of CVE-2026-41940 allows attackers to gain complete control over cPanel & WHM servers. This can lead to the compromise of hosted websites, databases, and sensitive customer data. Given the central role of cPanel in hosting environments, this vulnerability can result in large-scale compromise affecting multiple customers and services. The widespread use of cPanel & WHM makes this a high-impact vulnerability.

Recommendation

• Apply the security patch provided by cPanel to address CVE-2026-41940 immediately after thorough testing to prevent exploitation.
• Implement increased monitoring and detection capabilities to identify suspicious activity related to CVE-2026-41940 as recommended by CCB.
• Review web server logs for unusual patterns or requests targeting cPanel login endpoints to detect potential exploitation attempts. Create a Sigma rule based on webserver logs.
• Monitor for unauthorized changes to user accounts or the creation of new administrative accounts on cPanel servers. Create a Sigma rule based on process creation logs.

]]>criticalthreatauthentication bypasscPanelweb hostingvulnerabilityhttps://feed.craftedsignal.io/briefs/2026-04-cpanel-auth-bypass/Wed, 29 Apr 2026 16:16:25 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-cpanel-auth-bypass/An authentication bypass vulnerability in cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 allows unauthenticated remote attackers to gain unauthorized access to the control panel.On April 28, 2026, a critical authentication bypass vulnerability (CVE-2026-41940) was disclosed affecting cPanel and WHM. This vulnerability impacts versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5. The vulnerability exists within the login flow, allowing unauthenticated remote attackers to bypass authentication and gain unauthorized access to the control panel. Successful exploitation grants attackers complete control over the affected cPanel and WHM instances, potentially leading to data theft, server compromise, and further malicious activities. This vulnerability poses a significant risk to web hosting providers and their customers.

Attack Chain

1. An unauthenticated attacker sends a crafted HTTP request to the cPanel/WHM login page, exploiting the authentication bypass vulnerability.
2. The vulnerable cPanel/WHM version fails to properly validate the request, allowing the attacker to bypass the login process.
3. The attacker gains unauthorized access to the cPanel/WHM interface.
4. The attacker enumerates the server to identify valuable files, directories, and database configurations.
5. The attacker leverages the compromised cPanel/WHM access to upload malicious scripts or binaries.
6. The attacker executes uploaded payloads to establish persistent access, such as a web shell.
7. The attacker uses the web shell to perform arbitrary commands on the server, including escalating privileges.
8. The attacker exfiltrates sensitive data, defaces websites, or deploys ransomware.

Impact

Successful exploitation of CVE-2026-41940 can lead to complete compromise of cPanel and WHM servers. This can result in data breaches, website defacement, and denial-of-service attacks. The vulnerability affects a wide range of cPanel and WHM installations, potentially impacting thousands of web hosting providers and their customers. The high CVSS score (9.8) reflects the severity of the risk and the ease with which it can be exploited.

Recommendation

• Immediately upgrade cPanel and WHM installations to versions 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5, or later to patch CVE-2026-41940.
• Monitor web server logs for unusual activity and unauthorized access attempts to the cPanel/WHM interface by deploying the Sigma rule DetectCpanelAuthBypassAccess.
• Implement strict access control policies to limit access to cPanel/WHM administrative interfaces and monitor the user activity by deploying the Sigma rule DetectCpanelAccountManipulation.

]]>criticaladvisorycpanelwhmauthentication-bypassCVE-2026-41940webserverhttps://feed.craftedsignal.io/briefs/2024-05-cpanel-privesc/Wed, 01 Apr 2026 09:24:03 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-05-cpanel-privesc/A local attacker can exploit a vulnerability in cPanel/WHM to escalate their privileges.A vulnerability exists in cPanel/WHM that allows a local attacker to escalate their privileges on the system. While the specific details of the vulnerability are not provided in the source, the core issue lies within the cPanel/WHM software suite. This could allow an attacker with limited access to gain root privileges. Defenders should focus on detecting suspicious activity indicative of privilege escalation attempts following successful initial access. The vulnerability has been disclosed in a CERT-Bund security advisory.

Attack Chain

1. Attacker gains initial limited access to the cPanel/WHM server through some means (e.g., compromised account).
2. The attacker identifies a vulnerable component within the cPanel/WHM installation. This component may be accessible to low-privileged users.
3. The attacker crafts a malicious input or exploits a flaw in the identified component.
4. The exploit code is executed with the privileges of the vulnerable component.
5. The attacker leverages this initial privilege escalation to access more sensitive files and processes.
6. The attacker injects malicious code into a process running with higher privileges (e.g., cPanel daemon).
7. The injected code executes, granting the attacker elevated privileges.
8. The attacker gains root access and performs malicious actions, such as data exfiltration or system compromise.

Impact

Successful exploitation of this vulnerability allows a local attacker to gain complete control over the cPanel/WHM server. This can lead to unauthorized access to all hosted websites and associated data, including sensitive customer information, database credentials, and email content. The impact includes data breaches, defacement of websites, and the potential for using the compromised server as a launching point for further attacks on other systems.

Recommendation

• Monitor process execution for unexpected processes spawned by cPanel-related binaries, using the process_creation Sigma rule provided.
• Audit file system access patterns for cPanel-related directories and files for modifications by unexpected users or processes, using a file_event Sigma rule.
• Implement strict access controls and least privilege principles to minimize the impact of potential privilege escalation vulnerabilities.

]]>highadvisoryprivilege-escalationcpanelwhmhttps://feed.craftedsignal.io/briefs/2026-03-cpanel-vulns/Tue, 24 Mar 2026 12:11:04 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-cpanel-vulns/An anonymous remote attacker can exploit multiple vulnerabilities in cPanel/WHM to bypass security measures, perform XSS and SSRF attacks, disclose information, and potentially execute code.Multiple vulnerabilities have been identified in cPanel/WHM, a widely used web hosting control panel. An anonymous, remote attacker can exploit these vulnerabilities to compromise cPanel/WHM installations. The vulnerabilities allow an attacker to bypass security measures, perform Cross-Site Scripting (XSS) and Server-Side Request Forgery (SSRF) attacks, disclose sensitive information, and potentially execute arbitrary code on the server. These vulnerabilities pose a significant risk to organizations relying on cPanel/WHM for web hosting, potentially leading to data breaches, service disruption, and unauthorized access to sensitive systems.

Attack Chain

1. The attacker identifies a vulnerable cPanel/WHM instance exposed to the internet.
2. The attacker crafts a malicious HTTP request exploiting an identified SSRF vulnerability to probe internal network resources.
3. Successful SSRF exploitation allows the attacker to identify internal services and gather information about the server architecture.
4. The attacker leverages an XSS vulnerability by injecting malicious JavaScript code into a cPanel/WHM page.
5. Unsuspecting users interacting with the compromised page execute the attacker’s JavaScript code.
6. The attacker uses the XSS payload to steal user session cookies or credentials.
7. The attacker uses the stolen credentials to bypass authentication and gain unauthorized access to cPanel/WHM.
8. With elevated privileges, the attacker can potentially execute arbitrary code on the server, leading to full system compromise.

Impact

Successful exploitation of these vulnerabilities can lead to severe consequences. An attacker could gain unauthorized access to sensitive data, including customer databases, configuration files, and source code. XSS attacks could deface websites and phish users. SSRF attacks can expose internal network resources. Remote code execution can lead to complete server takeover and potentially impact a large number of hosted websites and services. This can result in significant financial losses, reputational damage, and legal liabilities.

Recommendation

• Deploy the Sigma rule Detect Suspicious cPanel/WHM HTTP Request to identify potential SSRF attempts within cPanel/WHM webserver logs.
• Deploy the Sigma rule Detect cPanel/WHM XSS Attempt to detect potential XSS payloads being injected into cPanel/WHM.
• Closely monitor web server logs for unusual activity originating from cPanel/WHM servers using the webserver category.
• Implement strong input validation and output encoding to prevent XSS attacks.
• Harden cPanel/WHM configurations to restrict SSRF attack vectors and limit access to internal resources.

]]>highadvisorycPanelWHMXSSSSRFvulnerabilityhttps://feed.craftedsignal.io/briefs/2024-01-cpanel-auth-bypass/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-cpanel-auth-bypass/CVE-2026-41940 is an authentication bypass vulnerability in WebPros cPanel & WHM and WP2 (WordPress Squared) that allows unauthenticated remote attackers to gain unauthorized access to the control panel.WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) are affected by an authentication bypass vulnerability, identified as CVE-2026-41940. This flaw exists within the login flow, potentially granting unauthenticated remote attackers unauthorized access to the control panel. Successful exploitation allows attackers to bypass normal authentication mechanisms and directly access sensitive administrative functions within cPanel & WHM and WP2. Defenders should apply vendor-provided mitigations or discontinue use of the product if mitigations are not available. The vulnerability was disclosed in April 2026, and mitigations should be applied by May 3, 2026.

Attack Chain

1. The attacker identifies a vulnerable cPanel & WHM or WP2 instance.
2. The attacker crafts a malicious HTTP request exploiting the authentication bypass vulnerability in the login flow.
3. The request is sent to the target server, bypassing authentication checks.
4. The server incorrectly processes the request, granting the attacker an authenticated session.
5. The attacker leverages the authenticated session to access administrative interfaces and settings.
6. The attacker modifies server configurations, potentially creating new administrative accounts.
7. The attacker installs malicious plugins or software through the control panel.
8. The attacker achieves full control over the web server and hosted websites.

Impact

Successful exploitation of CVE-2026-41940 can lead to complete compromise of the affected cPanel & WHM or WP2 server. This can result in data breaches, website defacement, malware distribution, and denial-of-service attacks. The impact is significant due to the widespread use of cPanel & WHM in web hosting environments. Compromised servers could be leveraged for further attacks against other systems and networks.

Recommendation

• Apply mitigations provided by WebPros as detailed in their security update advisory to address CVE-2026-41940.
• Deploy the Sigma rule “Detect cPanel/WHM Authentication Bypass Attempt” to identify potential exploitation attempts in web server logs.
• If mitigations cannot be immediately applied, follow BOD 22-01 guidance for cloud services, potentially isolating the affected system until patched.
• Consider discontinuing use of the affected product if patches or mitigations are unavailable, as advised in the original CISA KEV entry.

]]>criticaladvisorycpanelwhmwp2wordpressauthentication-bypasscve-2026-41940initial-access