https://feed.craftedsignal.io/tags/cve-2026-41940/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 29 Apr 2026 16:16:25 +0000https://feed.craftedsignal.io/briefs/2026-04-cpanel-auth-bypass/Wed, 29 Apr 2026 16:16:25 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-cpanel-auth-bypass/An authentication bypass vulnerability in cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 allows unauthenticated remote attackers to gain unauthorized access to the control panel.On April 28, 2026, a critical authentication bypass vulnerability (CVE-2026-41940) was disclosed affecting cPanel and WHM. This vulnerability impacts versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5. The vulnerability exists within the login flow, allowing unauthenticated remote attackers to bypass authentication and gain unauthorized access to the control panel. Successful exploitation grants attackers complete control over the affected cPanel and WHM instances, potentially leading to data theft, server compromise, and further malicious activities. This vulnerability poses a significant risk to web hosting providers and their customers.

Attack Chain

1. An unauthenticated attacker sends a crafted HTTP request to the cPanel/WHM login page, exploiting the authentication bypass vulnerability.
2. The vulnerable cPanel/WHM version fails to properly validate the request, allowing the attacker to bypass the login process.
3. The attacker gains unauthorized access to the cPanel/WHM interface.
4. The attacker enumerates the server to identify valuable files, directories, and database configurations.
5. The attacker leverages the compromised cPanel/WHM access to upload malicious scripts or binaries.
6. The attacker executes uploaded payloads to establish persistent access, such as a web shell.
7. The attacker uses the web shell to perform arbitrary commands on the server, including escalating privileges.
8. The attacker exfiltrates sensitive data, defaces websites, or deploys ransomware.

Impact

Successful exploitation of CVE-2026-41940 can lead to complete compromise of cPanel and WHM servers. This can result in data breaches, website defacement, and denial-of-service attacks. The vulnerability affects a wide range of cPanel and WHM installations, potentially impacting thousands of web hosting providers and their customers. The high CVSS score (9.8) reflects the severity of the risk and the ease with which it can be exploited.

Recommendation

• Immediately upgrade cPanel and WHM installations to versions 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5, or later to patch CVE-2026-41940.
• Monitor web server logs for unusual activity and unauthorized access attempts to the cPanel/WHM interface by deploying the Sigma rule DetectCpanelAuthBypassAccess.
• Implement strict access control policies to limit access to cPanel/WHM administrative interfaces and monitor the user activity by deploying the Sigma rule DetectCpanelAccountManipulation.

]]>criticaladvisorycpanelwhmauthentication-bypassCVE-2026-41940webserverhttps://feed.craftedsignal.io/briefs/2024-01-cpanel-auth-bypass/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-cpanel-auth-bypass/CVE-2026-41940 is an authentication bypass vulnerability in WebPros cPanel & WHM and WP2 (WordPress Squared) that allows unauthenticated remote attackers to gain unauthorized access to the control panel.WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) are affected by an authentication bypass vulnerability, identified as CVE-2026-41940. This flaw exists within the login flow, potentially granting unauthenticated remote attackers unauthorized access to the control panel. Successful exploitation allows attackers to bypass normal authentication mechanisms and directly access sensitive administrative functions within cPanel & WHM and WP2. Defenders should apply vendor-provided mitigations or discontinue use of the product if mitigations are not available. The vulnerability was disclosed in April 2026, and mitigations should be applied by May 3, 2026.

Attack Chain

1. The attacker identifies a vulnerable cPanel & WHM or WP2 instance.
2. The attacker crafts a malicious HTTP request exploiting the authentication bypass vulnerability in the login flow.
3. The request is sent to the target server, bypassing authentication checks.
4. The server incorrectly processes the request, granting the attacker an authenticated session.
5. The attacker leverages the authenticated session to access administrative interfaces and settings.
6. The attacker modifies server configurations, potentially creating new administrative accounts.
7. The attacker installs malicious plugins or software through the control panel.
8. The attacker achieves full control over the web server and hosted websites.

Impact

Successful exploitation of CVE-2026-41940 can lead to complete compromise of the affected cPanel & WHM or WP2 server. This can result in data breaches, website defacement, malware distribution, and denial-of-service attacks. The impact is significant due to the widespread use of cPanel & WHM in web hosting environments. Compromised servers could be leveraged for further attacks against other systems and networks.

Recommendation

• Apply mitigations provided by WebPros as detailed in their security update advisory to address CVE-2026-41940.
• Deploy the Sigma rule “Detect cPanel/WHM Authentication Bypass Attempt” to identify potential exploitation attempts in web server logs.
• If mitigations cannot be immediately applied, follow BOD 22-01 guidance for cloud services, potentially isolating the affected system until patched.
• Consider discontinuing use of the affected product if patches or mitigations are unavailable, as advised in the original CISA KEV entry.

]]>criticaladvisorycpanelwhmwp2wordpressauthentication-bypasscve-2026-41940initial-access