Emergency patches dropped April 28 for cPanel & WHM. The flaw — CVE-2026-41940 — is a CRLF injection in the login flow that lets any unauthenticated remote attacker escalate to root with a crafted HTTP header. No exploit kit, no creds needed.

The scary part isn't the exploit itself — it's the timeline. Based on researcher findings, threat actors were exploiting this as a zero-day starting around February 2026, roughly two months before cPanel disclosed or patched it. Shodan puts \~1.5M cPanel instances internet-accessible right now.

Technical mechanics (short version):

Attacker triggers a failed login → gets session cookie → strips a hex value to bypass cPanel's input encryption → injects a CRLF-encoded root-privilege escalation header via the cookie → authenticated as root. That's the whole chain. Rapid7 and the Canadian Centre for Cyber Security both confirmed full host takeover as the impact — not just one site, but every tenant, every DB, every SSL key on that server.

Affected: All cPanel/WHM versions after 11.40, including WP Squared (their WordPress hosting product).

This is part of a pattern I've been tracking — management-plane tools (cPanel, WHM, firewall management consoles) are increasingly the primary targets because compromising the tool that manages everything gives you everything. I previously covered a similar attack vector with the FIRESTARTER Cisco Firepower Backdoor if you want more background:
https://www.techgines.com/post/firestarter-cisco-firepower-backdoor-cisa-warning-2026

To the sysadmins here: Have you found evidence of CVE-2026-41940 exploitation in your cPanel logs predating the April 28 disclosure? And realistically — how many of the 1.5M exposed instances do you think have already been backdoored during that 60-day window? What's your patching ETA looking like for multi-tenant environments?
https://www.techgines.com/post/cve-2026-41940-cpanel-authentication-bypass-zero-day