Bug of the year (so far): Nasty cPanel vulnerability probably exploited as a 0-day

Summary

A critical vulnerability, CVE-2026-41940, has been identified in cPanel and WebHost Manager (WHM) that allows for authentication bypass and unauthorized root access. The flaw affects all supported versions of the software and has likely been exploited as a zero-day for at least 30 days.

Key Points

• CVE-2026-41940 carries a CVSS severity score of 9.8.
• The vulnerability affects all supported versions of cPanel, WHM, and the WP Squared hosting platform.
• The flaw is a Carriage Return Line Feed (CRLF) vulnerability resulting from improper sanitization of user-supplied input.
• Successful exploitation enables an attacker to bypass all authentication mechanisms to gain full root privileges on the server.
• Evidence indicates the vulnerability may have been actively exploited in the wild for approximately 30 days prior to the release of emergency patches.

Technical Details

The vulnerability is a CRLF (Carriage Return Line Feed) flaw where the application fails to properly sanitize user-supplied input. The attack vector begins with an attacker creating a session cookie by performing a failed login attempt. The attacker then sends a request containing a specially crafted header that includes instructions to escalate privileges to root.

In unpatched versions of the software, the vulnerability allows an attacker to remove a specific hex value, which prevents the standard encryption process from running on attacker-supplied values. This bypass allows plaintext commands, such as "make-me-root," to pass through the system and be processed as trusted, authorized code.

Impact / Why It Matters

Administrators managing cPanel or WHM environments face a high risk of total server compromise and unauthorized access to all hosted domains, databases, and configurations. Immediate application of emergency patches is required, and it is recommended to run detection scripts to identify signs of prior compromise.