VULNERABILITY OVERVIEW
A CRLF injection vulnerability in the Basic Auth login flow of cPanel & WHM allows an unauthenticated remote attacker to manipulate the session file and inject arbitrary session properties (e.g., user=root), bypassing authentication entirely and gaining full WHM root access without any credentials. The flaw was exploited as a true zero-day for approximately 64 days before patching, with active exploitation observed as early as February 23, 2026. Mass exploitation by multiple threat clusters followed a public PoC by watchTowr Labs published April 29; at least 44,000 IPs were compromised with the 'Sorry' ransomware (.sorry extension) and Mirai botnet variants deployed. A state-linked actor also targeted Southeast Asian government and military networks. CISA added to KEV May 1, 2026.
CVSS BREAKDOWN
All supported cPanel & WHM versions after 11.40 and WP2; patched in version 136.1.7+CITATIONS
- → cPanel Advisory: https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026
- → watchTowr Labs PoC: https://blog.watchtowr.com/cve-2026-41940-cpanel-whm-auth-bypass/
- → CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- → The Hacker News: https://thehackernews.com/2026/05/critical-cpanel-vulnerability.html
- → Malwarebytes: https://www.malwarebytes.com/blog/news/2026/05/actively-exploited-cpanel-bug-exposes-millions-of-websites-to-takeover