cPanel, a leading provider of web hosting control panel software, has recently addressed three critical security vulnerabilities in its cPanel and WebHost Manager (WHM) platforms. These flaws, if exploited, could allow unauthorized access and control over servers, posing significant risks to web hosting providers and their clients.
Overview of the Vulnerabilities
The identified vulnerabilities are:
1. CVE-2026-41940: An authentication bypass vulnerability that enables remote attackers to gain unauthorized access to the cPanel and WHM interfaces.
2. CVE-2026-41941: A flaw in the session management system that could allow attackers to hijack user sessions, leading to potential data breaches.
3. CVE-2026-41942: A cross-site scripting (XSS) vulnerability that could be exploited to execute arbitrary scripts in the context of a user’s browser session.
Details and Implications
The most severe of these, CVE-2026-41940, has been actively exploited in the wild. Attackers have targeted government and military entities in Southeast Asia, as well as managed service providers (MSPs) and hosting providers in countries including the Philippines, Laos, Canada, South Africa, and the U.S. The exploitation involves using publicly available proof-of-concept (PoC) scripts to gain elevated control over the cPanel and WHM interfaces. ([thehackernews.com](https://thehackernews.com/2026/05/critical-cpanel-vulnerability.html?utm_source=openai))
The attacks have been traced back to the IP address 95.111.250[.]175, primarily focusing on government and military domains associated with the Philippines (.mil.ph and .ph) and Laos (.gov.la). In some instances, attackers have employed custom exploit chains, combining authenticated SQL injection and remote code execution, to compromise systems. Tools like AdaptixC2, OpenVPN, and Ligolo have been utilized to establish persistent access and exfiltrate sensitive documents. ([thehackernews.com](https://thehackernews.com/2026/05/critical-cpanel-vulnerability.html?utm_source=openai))
cPanel’s Response and Recommendations
In response to these vulnerabilities, cPanel has released security updates for all supported versions:
– 11.110.0.97
– 11.118.0.63
– 11.126.0.54
– 11.132.0.29
– 11.136.0.5
– 11.134.0.20
Users are strongly advised to update their servers immediately to these versions. For servers not running a supported version, it is crucial to upgrade as soon as possible to mitigate potential risks. ([thehackernews.com](https://thehackernews.com/2026/04/critical-cpanel-authentication.html?utm_source=openai))
Additionally, cPanel has provided a detection script to identify indicators of compromise (IoCs). Users should run this script to check for signs of unauthorized access and take appropriate remediation steps if any IoCs are found.
Mitigation Measures
Until patches can be applied, cPanel recommends the following temporary mitigation measures:
– Block inbound traffic on ports 2083, 2087, 2095, and 2096 at the firewall.
– Stop the cPanel services `cpsrvd` and `cpdavd`.
These steps can help prevent unauthorized access to the cPanel and WHM interfaces. ([thehackernews.com](https://thehackernews.com/2026/04/critical-cpanel-authentication.html?utm_source=openai))
Industry Response
The severity of these vulnerabilities has prompted immediate action from web hosting companies. For instance, Namecheap applied firewall rules to block access to TCP ports 2083 and 2087, temporarily restricting customer access to their cPanel and WHM interfaces until patches were applied. This proactive measure aimed to prevent potential exploitation while awaiting official fixes. ([thehackernews.com](https://thehackernews.com/2026/04/critical-cpanel-authentication.html?utm_source=openai))
Conclusion
The discovery and exploitation of these cPanel vulnerabilities underscore the critical importance of timely software updates and vigilant security practices. Web hosting providers and server administrators must prioritize applying the latest patches and monitoring their systems for any signs of compromise. By staying informed and proactive, the risks associated with such vulnerabilities can be significantly mitigated.
