CVE-2026-41940: Critical Vulnerability in cPanel & WHM, 4,000 Attacks Detected

CVE-2026-41940: the critical cPanel vulnerability exposing thousands of servers

A severe authentication bypass vulnerability, identified as CVE-2026-41940, threatens cPanel & WHM installations, including the DNSOnly version, in versions after 11.40. The flaw, discovered by WatchTowr Labs, allows remote unauthenticated attackers to access control panels without authorization. The vulnerability has received a CVSS 3.1 score of 9.8 and falls under the CWE-306: Missing Authentication for Critical Function category.

Quick Response

Systemic impact on hosting infrastructures

cPanel & WHM is widely used for managing web hosting environments, with WHM providing administrative access and cPanel controlling individual user accounts. The vulnerability, located in the login flow, could allow attackers to access high-value administrative functions in various hosting environments. The issue specifically concerns the session loading and saving behavior.

Geographical and sectoral distribution of attacks

Imperva detected nearly 4,000 targeted attack requests aimed at customers in 17 countries and 15 different sectors, indicating opportunistic scanning rather than attacks concentrated on specific verticals or geographies. The United States suffered nearly 70% of the observed attacks, followed by Barbados and Israel. This pattern suggests that attackers are targeting regions with significant web infrastructures, while the presence of minor geographies indicates automated discovery of exposed internet-facing assets.

Most affected sectors

The most affected sectors include Business, Society, and Education, reflecting the widespread use of hosting control panels among organizations with public websites, portals, and distributed web infrastructures. Although the volume of observed attacks is currently limited compared to mass exploitation campaigns, the geographical and sectoral spread demonstrates active searching for exposed cPanel and WHM instances.

Urgent mitigation measures

The definitive remediation for CVE-2026-41940 is the immediate update to a corrected version of cPanel & WHM. Organizations should also follow the detection guidelines provided by cPanel, inspect session files for indicators of compromise, and audit WHM access logs for unauthorized activity. Specifically, cPanel recommends:

• Purging affected sessions
• Forcing password resets for root and WHM users
• Checking for persistence mechanisms

Protection for Imperva customers

Imperva customers with Cloud WAF and WAF Gateway are protected against this vulnerability. Imperva's web application firewall (WAF) provides an additional layer of security by inspecting incoming traffic and blocking malicious requests that exploit known vulnerabilities like CVE-2026-41940.

Editorial Note and Disclaimer

The guides and content published on GoYou are the result of independent research and analysis activities, for informational, educational, and in-depth purposes.

GoYou does not constitute a journalistic publication or an editorial product pursuant to Law No. 62/2001 and does not perform real-time information activities.

The GoYou project does not provide professional, technical, legal, or financial advice and disclaims any liability for the misuse of the information published.

In the Crypto sector, every investment involves risks: readers are invited to always inform themselves independently before making any decisions.