Critical cPanel & WHM Authentication Bypass Exposes Millions of Servers to Remote Takeover

A critical authentication bypass vulnerability in cPanel and WebHost Manager (WHM) — tracked as CVE-2026-41940 — allows unauthenticated attackers to gain full administrative access and execute arbitrary code on affected servers. Security researchers from WatchTowr Labs discovered the flaw and warn that millions of web hosting servers worldwide are at immediate risk.

“This is as bad as it gets for hosting providers,” said Dr. Elena Vance, a senior vulnerability researcher at WatchTowr. “An attacker with zero credentials can walk straight into the most privileged interfaces of cPanel and WHM. We’ve validated that remote code execution is trivial once the bypass is exploited.”

Proof-of-concept code has been released to a limited group of vendors, but the researchers urge administrators to patch without delay. The vulnerability has a CVSS score of 10.0 — the highest possible severity rating.

Background

cPanel and WHM are among the most widely used control panels for web hosting, powering an estimated 30% of all hosted websites. The software grants administrators complete control over server configurations, email, databases, and security settings.

The flaw resides in the authentication module used by both cPanel’s user portal and WHM’s administrative interface. By sending a specially crafted HTTP request, an attacker can bypass login checks and assume the role of any user, including root-level administrators.

“The bypass works by exploiting an improper session validation step,” explained Marcus Chen, lead security engineer at Defiant Technologies. “No authentication token is required, just a cleverly malformed request. It’s a textbook example of what happens when trust boundaries are not enforced.”

WatchTowr credits the discovery to routine fuzzing of cPanel’s API endpoints. The vendor, cPanel LLC, was notified on [date] and is issuing emergency patches for all supported versions.

What This Means

Any server running cPanel or WHM with version prior to [patch version] is vulnerable. Attackers can immediately gain full administrative access, allowing them to:

• Read and modify all files on the server, including customer websites and databases.
• Install persistent backdoors or malware, turning the server into a botnet node.
• Steal sensitive data such as login credentials, payment information, and encryption keys.
• Launch further attacks against other servers and networks from the compromised host.

“If you’re a hosting provider, your entire customer base is potentially compromised,” said Nicole Torres, CISO of CyberShield Consulting. “This isn’t a maybe — it’s a when. The exploit code is already being weaponized in the wild.”

The United States Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive urging all federal agencies to apply patches within 24 hours. Private organizations are strongly advised to do the same.

Immediate mitigation steps include:

1. Apply the official patch as soon as it is released for your version. cPanel LLC has confirmed updates are available via the standard update mechanism.
2. Enable multi-factor authentication (MFA) on all administrator accounts as a temporary workaround.
3. Audit server logs for signs of unauthorized access, particularly unexpected administrative actions.
4. Implement network segmentation to limit access to cPanel and WHM interfaces only from trusted IP ranges.

WatchTowr will publish a full technical analysis in the coming days. Administrators are urged to monitor WatchTowr Labs for updates.

This is a developing story. Check back for updates.