Hackers May Have Had Root Access to Your Server Since February — Here's the cPanel Zero-Day You Can't Ignore

Hackers may have had root access to your server since February. And until recently, you'd have had no way of knowing.

I'm Shahriar Shuvo, a website developer in Bangladesh, and I've spent the last few weeks fielding nervous messages from clients and fellow developers about one thing: a critical zero-day in cPanel & WHM. If you run a website on shared hosting — or if you manage your own server — this is the security story you need to understand today, not next week.

Let me walk you through what happened, who's at risk, and exactly what to do about it.

What Is CVE-2026-41940?

CVE-2026-41940 is a critical authentication bypass vulnerability in cPanel & WHM — the control panel software that powers a massive share of the world's web hosting. It affects cPanel & WHM, including DNSOnly, in all versions after 11.40, carries a CVSS score of 9.8, and is classified as missing authentication for a critical function. Imperva

In plain English: an attacker doesn't need your password. They don't need to brute-force a login screen. The flaw lets an unauthenticated remote attacker gain root-level access to the WHM administrative interface without valid credentials. Root access means everything — files, databases, emails, customer data, server configuration. All of it. Trend Micro

Technically, the bug is a CRLF (carriage-return line-feed) injection in how cPanel handles login sessions. Before authentication even occurs, the cPanel service daemon writes a new session file to disk, and an attacker can manipulate the session cookie to bypass the encryption normally applied to attacker-provided values. The result is a forged, trusted session that the server happily accepts. Rapid7

Why This One Is Genuinely Terrifying

Plenty of vulnerabilities get the "critical" label and turn out to be theoretical. This one is not. Here's what sets it apart.

It's a true zero-day that was exploited for months. Exploitation was observed since around February 23, 2026, per hosting provider KnownHost — meaning this was a real zero-day for roughly two months before cPanel's emergency patch on April 28. For over two months, attackers were walking through the front door while administrators had no patch, no advisory, and no idea. Picus Security

The patch came late, and the disclosure was murky. According to reporting, the vulnerability had been reported to cPanel roughly two weeks before the April 28 public advisory, and cPanel's initial response was reportedly that nothing was wrong. That gap matters — it means even diligent admins couldn't have acted sooner. Help Net Security

The attack surface is enormous. Around 1.5 million internet-exposed cPanel instances were identified via Shodan telemetry referenced by Rapid7. One compromised WHM server isn't one compromised site — it's potentially every single website hosted on that machine. Picus Security

Exploitation is confirmed and ongoing. Threat intelligence indicates active exploitation in the wild, and a public proof-of-concept exploit is now available, which raises the likelihood of broader attacks. Once a PoC is public, the barrier to entry for opportunistic attackers drops to nearly zero. Bitsight

Who Is Affected

If your hosting environment uses cPanel & WHM, DNSOnly, or WP Squared on any version after 11.40, assume you are in scope until proven otherwise. The issue affects cPanel software versions after 11.40 and allows an unauthenticated remote attacker to gain unauthorized access to exposed hosting control panels. Systems that expose the cPanel/WHM web service to the internet are vulnerable by default — which is the standard configuration for most hosts. Cato Networks

This breaks down into two groups: people who manage their own servers, and people on shared hosting. The action steps differ, so let's take them separately.

If You Manage Your Own Server: Patch Right Now

This is not a "schedule it for the weekend" situation. Do this today.

1. Update immediately. Run cPanel's update process to pull the patched build:

/scripts/upcp --force

2. Verify you're on a patched version. cPanel released fixes across every supported release branch. Patched builds include 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5, and WP Squared 11.136.1.7. Confirm your installed version matches or exceeds the patched build for your branch. Bitsight

3. Restart the service. After applying updates, restart the cpsrvd service to ensure the patches are fully applied. Bitsight

4. Block the ports until you're patched. If you can't patch this instant, block external access to ports 2083, 2087, 2095, and 2096 at your firewall, or stop the cpsrvd and cpdavd services until remediation is complete. Bitsight

5. Check for signs of compromise. Patching stops future attacks — it does not undo a breach that may have already happened. cPanel's advisory includes a local detection script and sample output showing exploitation artifacts in session files; administrators should use the vendor script as part of a compromise assessment and not rely only on network indicators. Inspect your session files and audit WHM access logs for anything you don't recognize. Cato Networks

One more thing worth knowing: this incident hasn't fully settled. On May 20, 2026, cPanel released another emergency patch for an actively exploited privilege-escalation issue in the LiteSpeed User-End plugin, advising an immediate update to 11.136.0.13. So once you've handled CVE-2026-41940, keep watching for follow-up advisories. myglobalHOST

If You're on Shared Hosting: Make One Phone Call

Most website owners don't touch WHM at all — your hosting provider manages it. That doesn't mean you're safe; it means your safety depends on whether your provider has patched.

So contact them today and ask one direct question: "Have you patched CVE-2026-41940?"

A good provider will already have done it. Several hosting companies, including Namecheap, KnownHost, HostPapa, and InMotion, preemptively blocked the cPanel login ports to protect customers ahead of patching. If your provider can't give you a clear, confident answer, that's a red flag worth taking seriously. Picus Security

While you're at it, rotate your important passwords — cPanel login, email, database — once you've confirmed the server is patched. If attackers had access, your credentials may already be in someone else's hands.

The Bottom Line

The patch is out. The remediation steps are public. There is no excuse left to stay exposed — and yet, with 1.5 million instances out there, plenty of servers still are.

Security isn't about panic; it's about acting before the attacker does. Patch your server, or confirm your host has. Check for signs you were already hit. And then share this with the people in your network who run their own sites — because someone you know is almost certainly still vulnerable and doesn't realize it.

That five-minute conversation today could save someone their entire business tomorrow.

Shahriar Shuvo is a website developer in Bangladesh who builds secure, well-maintained WordPress and hosting setups. You can find his work at shuvogt.com.