Overview
- cPanel released emergency fixes Tuesday across all supported branches for CVE-2026-41940, a critical login bypass that also affects the WP Squared WordPress management panel.
- Researchers show the flaw stems from CRLF characters in a crafted Authorization header that cPanel writes into a pre‑auth session file, letting attackers inject values like user=root and then log in without a password.
- Hosting providers report exploitation attempts dating back to February 23, and CISA has now listed the bug in its Known Exploited Vulnerabilities catalog to signal immediate risk for any unpatched systems.
- Major hosts including Namecheap, HostGator, and KnownHost temporarily blocked cPanel and WHM ports 2083 and 2087 to protect customers during rollout, with some guidance also covering ports 2095 and 2096 or stopping core services.
- Roughly 1.5 million internet‑facing cPanel instances show up in Shodan scans, and both cPanel and watchTowr published detection tools alongside response steps such as restarting cpsrvd, purging sessions, resetting credentials, and auditing logs.