{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/whm/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-41940"}],"_cs_exploited":false,"_cs_products":["WHM","cPanel"],"_cs_severities":["critical"],"_cs_tags":["cpanel","whm","authentication-bypass","CVE-2026-41940","webserver"],"_cs_type":"advisory","_cs_vendors":["cPanel"],"content_html":"\u003cp\u003eOn April 28, 2026, a critical authentication bypass vulnerability (CVE-2026-41940) was disclosed affecting cPanel and WHM. This vulnerability impacts versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5. The vulnerability exists within the login flow, allowing unauthenticated remote attackers to bypass authentication and gain unauthorized access to the control panel. Successful exploitation grants attackers complete control over the affected cPanel and WHM instances, potentially leading to data theft, server compromise, and further malicious activities. This vulnerability poses a significant risk to web hosting providers and their customers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP request to the cPanel/WHM login page, exploiting the authentication bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eThe vulnerable cPanel/WHM version fails to properly validate the request, allowing the attacker to bypass the login process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the cPanel/WHM interface.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates the server to identify valuable files, directories, and database configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised cPanel/WHM access to upload malicious scripts or binaries.\u003c/li\u003e\n\u003cli\u003eThe attacker executes uploaded payloads to establish persistent access, such as a web shell.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the web shell to perform arbitrary commands on the server, including escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data, defaces websites, or deploys ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41940 can lead to complete compromise of cPanel and WHM servers. This can result in data breaches, website defacement, and denial-of-service attacks. The vulnerability affects a wide range of cPanel and WHM installations, potentially impacting thousands of web hosting providers and their customers. The high CVSS score (9.8) reflects the severity of the risk and the ease with which it can be exploited.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade cPanel and WHM installations to versions 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5, or later to patch CVE-2026-41940.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity and unauthorized access attempts to the cPanel/WHM interface by deploying the Sigma rule \u003ccode\u003eDetectCpanelAuthBypassAccess\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit access to cPanel/WHM administrative interfaces and monitor the user activity by deploying the Sigma rule \u003ccode\u003eDetectCpanelAccountManipulation\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T16:16:25Z","date_published":"2026-04-29T16:16:25Z","id":"/briefs/2026-04-cpanel-auth-bypass/","summary":"An authentication bypass vulnerability in cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 allows unauthenticated remote attackers to gain unauthorized access to the control panel.","title":"cPanel and WHM Authentication Bypass Vulnerability (CVE-2026-41940)","url":"https://feed.craftedsignal.io/briefs/2026-04-cpanel-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","cpanel","whm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability exists in cPanel/WHM that allows a local attacker to escalate their privileges on the system. While the specific details of the vulnerability are not provided in the source, the core issue lies within the cPanel/WHM software suite. This could allow an attacker with limited access to gain root privileges. Defenders should focus on detecting suspicious activity indicative of privilege escalation attempts following successful initial access. The vulnerability has been disclosed in a CERT-Bund security advisory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial limited access to the cPanel/WHM server through some means (e.g., compromised account).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a vulnerable component within the cPanel/WHM installation. This component may be accessible to low-privileged users.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious input or exploits a flaw in the identified component.\u003c/li\u003e\n\u003cli\u003eThe exploit code is executed with the privileges of the vulnerable component.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this initial privilege escalation to access more sensitive files and processes.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into a process running with higher privileges (e.g., cPanel daemon).\u003c/li\u003e\n\u003cli\u003eThe injected code executes, granting the attacker elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker gains root access and performs malicious actions, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a local attacker to gain complete control over the cPanel/WHM server. This can lead to unauthorized access to all hosted websites and associated data, including sensitive customer information, database credentials, and email content. The impact includes data breaches, defacement of websites, and the potential for using the compromised server as a launching point for further attacks on other systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution for unexpected processes spawned by cPanel-related binaries, using the process_creation Sigma rule provided.\u003c/li\u003e\n\u003cli\u003eAudit file system access patterns for cPanel-related directories and files for modifications by unexpected users or processes, using a file_event Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and least privilege principles to minimize the impact of potential privilege escalation vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T09:24:03Z","date_published":"2026-04-01T09:24:03Z","id":"/briefs/2024-05-cpanel-privesc/","summary":"A local attacker can exploit a vulnerability in cPanel/WHM to escalate their privileges.","title":"cPanel/WHM Local Privilege Escalation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-05-cpanel-privesc/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cPanel","WHM","XSS","SSRF","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple vulnerabilities have been identified in cPanel/WHM, a widely used web hosting control panel. An anonymous, remote attacker can exploit these vulnerabilities to compromise cPanel/WHM installations. The vulnerabilities allow an attacker to bypass security measures, perform Cross-Site Scripting (XSS) and Server-Side Request Forgery (SSRF) attacks, disclose sensitive information, and potentially execute arbitrary code on the server. These vulnerabilities pose a significant risk to organizations relying on cPanel/WHM for web hosting, potentially leading to data breaches, service disruption, and unauthorized access to sensitive systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable cPanel/WHM instance exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request exploiting an identified SSRF vulnerability to probe internal network resources.\u003c/li\u003e\n\u003cli\u003eSuccessful SSRF exploitation allows the attacker to identify internal services and gather information about the server architecture.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages an XSS vulnerability by injecting malicious JavaScript code into a cPanel/WHM page.\u003c/li\u003e\n\u003cli\u003eUnsuspecting users interacting with the compromised page execute the attacker\u0026rsquo;s JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the XSS payload to steal user session cookies or credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to bypass authentication and gain unauthorized access to cPanel/WHM.\u003c/li\u003e\n\u003cli\u003eWith elevated privileges, the attacker can potentially execute arbitrary code on the server, leading to full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to severe consequences. An attacker could gain unauthorized access to sensitive data, including customer databases, configuration files, and source code. XSS attacks could deface websites and phish users. SSRF attacks can expose internal network resources. Remote code execution can lead to complete server takeover and potentially impact a large number of hosted websites and services. This can result in significant financial losses, reputational damage, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious cPanel/WHM HTTP Request\u003c/code\u003e to identify potential SSRF attempts within cPanel/WHM webserver logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect cPanel/WHM XSS Attempt\u003c/code\u003e to detect potential XSS payloads being injected into cPanel/WHM.\u003c/li\u003e\n\u003cli\u003eClosely monitor web server logs for unusual activity originating from cPanel/WHM servers using the \u003ccode\u003ewebserver\u003c/code\u003e category.\u003c/li\u003e\n\u003cli\u003eImplement strong input validation and output encoding to prevent XSS attacks.\u003c/li\u003e\n\u003cli\u003eHarden cPanel/WHM configurations to restrict SSRF attack vectors and limit access to internal resources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T12:11:04Z","date_published":"2026-03-24T12:11:04Z","id":"/briefs/2026-03-cpanel-vulns/","summary":"An anonymous remote attacker can exploit multiple vulnerabilities in cPanel/WHM to bypass security measures, perform XSS and SSRF attacks, disclose information, and potentially execute code.","title":"Multiple Vulnerabilities in cPanel/WHM","url":"https://feed.craftedsignal.io/briefs/2026-03-cpanel-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-41940"}],"_cs_exploited":false,"_cs_products":["cPanel \u0026 WHM","WP2 (WordPress Squared)"],"_cs_severities":["critical"],"_cs_tags":["cpanel","whm","wp2","wordpress","authentication-bypass","cve-2026-41940","initial-access"],"_cs_type":"advisory","_cs_vendors":["WebPros"],"content_html":"\u003cp\u003eWebPros cPanel \u0026amp; WHM (WebHost Manager) and WP2 (WordPress Squared) are affected by an authentication bypass vulnerability, identified as CVE-2026-41940. This flaw exists within the login flow, potentially granting unauthenticated remote attackers unauthorized access to the control panel. Successful exploitation allows attackers to bypass normal authentication mechanisms and directly access sensitive administrative functions within cPanel \u0026amp; WHM and WP2. Defenders should apply vendor-provided mitigations or discontinue use of the product if mitigations are not available. The vulnerability was disclosed in April 2026, and mitigations should be applied by May 3, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable cPanel \u0026amp; WHM or WP2 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request exploiting the authentication bypass vulnerability in the login flow.\u003c/li\u003e\n\u003cli\u003eThe request is sent to the target server, bypassing authentication checks.\u003c/li\u003e\n\u003cli\u003eThe server incorrectly processes the request, granting the attacker an authenticated session.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the authenticated session to access administrative interfaces and settings.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies server configurations, potentially creating new administrative accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker installs malicious plugins or software through the control panel.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves full control over the web server and hosted websites.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41940 can lead to complete compromise of the affected cPanel \u0026amp; WHM or WP2 server. This can result in data breaches, website defacement, malware distribution, and denial-of-service attacks. The impact is significant due to the widespread use of cPanel \u0026amp; WHM in web hosting environments. Compromised servers could be leveraged for further attacks against other systems and networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply mitigations provided by WebPros as detailed in their security update advisory to address CVE-2026-41940.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect cPanel/WHM Authentication Bypass Attempt\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eIf mitigations cannot be immediately applied, follow BOD 22-01 guidance for cloud services, potentially isolating the affected system until patched.\u003c/li\u003e\n\u003cli\u003eConsider discontinuing use of the affected product if patches or mitigations are unavailable, as advised in the original CISA KEV entry.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-cpanel-auth-bypass/","summary":"CVE-2026-41940 is an authentication bypass vulnerability in WebPros cPanel \u0026 WHM and WP2 (WordPress Squared) that allows unauthenticated remote attackers to gain unauthorized access to the control panel.","title":"WebPros cPanel \u0026 WHM and WP2 Authentication Bypass Vulnerability (CVE-2026-41940)","url":"https://feed.craftedsignal.io/briefs/2024-01-cpanel-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — WHM","version":"https://jsonfeed.org/version/1.1"}