CVE-2026-41940
CRITICAL · 9.8 KEV EPSS 28.4%Active in-the-wild exploitation, KEV-listed, confirmed Mirai/ransomware campaigns, mass scanning.
What: Authentication bypass in cPanel/WHM versions after 11.40 allowing unauthenticated remote root access (CVSS 9.8 CRITICAL, EPSS 0.96).
Why it matters: KEV-listed 2026-04-30. Active in-the-wild exploitation confirmed within 24 hours of disclosure. Censys reports 80% of new malicious hosts linked to cPanel; Shadowserver observed 44K+ compromised IPs scanning honeypots. Mirai variants and ".sorry" ransomware campaigns already active. ~1.5M cPanel instances exposed online.
Where it's seen: Security research teams (Censys, Shadowserver, DFIR analysts) publishing mass-compromise metrics and botnet/ransomware attribution. Hosting providers (Hostao) taking services offline. Global CERT advisories issued. Patch available since 2026-04-28.
RISK: CRITICAL — KEV-listed, 44K+ compromised IPs, mass botnet/ransomware exploitation within 24h, 1.5M exposed instances.
AttackerKB
view on attackerkb.com →cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Public PoCs on GitHub 20 repos
- nomi-sec/PoC-in-GitHub ★ 7687
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
- Mr-xn/Penetration_Testing_POC ★ 7330 · HTML
渗透测试有关的POC、EXP、脚本、提权、小工具等---About penetration-testing python-script poc getshell csrf xss cms php-getshell domainmod-xss csrf-webshell cobub-razor cve rce sql sql-poc poc-exp bypass oa-getshell cve-cms
- 0xMarcio/cve ★ 1231 · Python
Latest CVEs with their Proof of Concept exploits.
- GhostTroops/TOP ★ 722 · Shell
TOP All bugbounty pentesting CVE-2023- POC Exp RCE example payload Things
- watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py ★ 297 · Python
Articles & coverage 15 articles
- Exploit for CVE-2026-41940 - Vulners.com
Vuln critique cPanel/WHM: injection CRLF dans Basic, contournement d'authentification et accès root. Show more.
- CISA KEV: CVE-2026-41940 Active Exploitation Hits cPanel & WHM Mgmt Plane | Windows Forum
# CISA KEV: CVE-2026-41940 Active Exploitation Hits cPanel & WHM Mgmt Plane. : cisa kev cpanel whm shared hosting security vulnerability remediation. CISA added CVE-2026-41940, a critical missing-authentication vulnerability in WebPros cPanel & WHM and WP Squared, to its Known Exploited Vulnerabilities Catalog on April 30, 2026, after evidence showed the flaw was already being exploited in
- CVE-2026-41940 Explained: The cPanel & WHM Authentication ...
# CVE-2026-41940 Explained: The cPanel & WHM Authentication Bypass That Hit 1.5M Servers. **TL;DR** — CVE-2026-41940 is a pre-authentication remote auth bypass in cPanel & WHM (CVSS 9.8). It chains a **CRLF injection** in the session writer with an **encryption-skip** triggered by a malformed cookie, then uses a quirk in how cPanel caches sessions to "promote" the injection into a privileged login
- CVE-2026-41940: A Critical Authentication Bypass in cPanel
cPanel disclosed a critical authentication bypass vulnerability in all currently supported versions on April 28, 2026. The vulnerability is a session-file manipulation attack through CRLF injection. When cpsrvd re-parses that file, the injected lines become top-level session entries — including user=root, hasroot=1, tfa\_verified=1, a chosen cp\_security\_token, and a fresh successful\_internal\_a
- CVE-2026-41940: cPanel & WHM Authentication Bypass - Rapid7
# CVE-2026-41940: cPanel & WHM Authentication Bypass. On April 28, 2026, cPanel issued a security update to fix a critical vulnerability affecting the cPanel & WHM and WP Squared products. In the cPanel release notes, the bug was described as "an issue with session loading and saving." CVE-2026-41940, the identifier subsequently assigned on April 29, 2026, has a CVSS score of 9.8 and allows unauth
› NVD details 1 CWE ·1 vendor · 7 refs expand
Description
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
References
Top posts driving the trend
@E3kd808X · 5/3/2026CVE-2026-41940 was a cPanel/WHM zero-day for ~2 months before the April 28 patch. CISA added it to KEV the same week. ~650k exposed instances, 44k IPs Full details + 8 dark web leak claims in #Cybersecurity #ThreatIntel #InfoSec #CISO #CVE https://t.co/7xJk3e2jDj
♥ 0 · ↻ 0 · 💬 0
@computerauditorX · 5/3/2026Your cPanel site at risk? A critical flaw (CVE-2026-41940) is being MASS-EXPLOITED by "Sorry" ransomware. Websites locked, data encrypted. Update or pay the price. Source: BleepingComputer. #CyberSecurity #Ransomware https://t.co/QhYHoSKLAS
♥ 0 · ↻ 0 · 💬 0
@officialwisemaX · 5/3/2026🚨 cPanel Zero-Day Alert (CVE-2026-41940) Auth bypass → root access in minutes. Patch now & secure your servers. Stay protected with expert VAPT, IAM & threat monitoring. 📩 [email protected] 🌐 https://t.co/aRXrJgyUC4 #CyberSecurity #ZeroDay #VAPT #IAM #DataSecurity https://t.co/BEj4p0QZrh
♥ 0 · ↻ 0 · 💬 0
@f1tym1X · 5/3/2026Critical cPanel Authentication Bypass Vulnerability Mass-Exploited to Deploy “Sorry” Ransomware Across Thousands of Servers https://t.co/M77ESwleIa Active Exploitation of CVE-2026-41940 Allows Attackers to Breach Hosting Panels, Encrypt Data, and Take Over Websites at Scale A…
♥ 0 · ↻ 0 · 💬 1
@authorshyamX · 5/3/2026M yofficial website was affected by cPanel/WHM CVE-2026-41940. Security updates and backup recovery ongoing. #cPanel #cPanelUpdates
♥ 0 · ↻ 0 · 💬 0- @ecrime.chBluesky · 5/3/2026
Critrical cPanel flaw mass-exploited in A new disclosed cPanel flaw tracked as CVE-2026-41940 is being mass-exploited to breach Read more: https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/
♥ 0 · ↻ 0 · 💬 0 
@DConsultingukX · 5/3/2026Critrical cPanel flaw mass-exploited in "Sorry" ransomware attacks A new disclosed cPanel flaw tracked as CVE-2026-41940 is being mass-exploited to breach websites an… https://t.co/JWD3BHwfSp https://t.co/QIbvNK22Ef
♥ 0 · ↻ 0 · 💬 0
@EnigmaGlobalSWX · 5/3/2026Intel Report [CRITICAL] - A critical authentication bypass vulnerability (CVE-2026-41940, CVSS 9.8) in cPanel & WebHost Manager (WHM) is under active mass exploitation following the public release of the 'cPanelSniper' exploit tool. The vulnerability,... https://t.co/kxwEEXTbH7
♥ 0 · ↻ 0 · 💬 0- @r-blueteamsec.bsky.socialBluesky · 5/3/2026
South-East Asian Military Entities Targeted via cPanel (CVE-2026-41940)
♥ 0 · ↻ 0 · 💬 0 - @pvynckier.bsky.socialBluesky · 5/3/2026
cPanel zero-day exploited for months before patch release (CVE-2026-41940) - Help Net Security www.helpnetsecurity.com/2026/04/30/c...
♥ 0 · ↻ 0 · 💬 0 
@PVynckierX · 5/3/2026cPanel zero-day exploited for months before patch release (CVE-2026-41940) - Help Net Security https://t.co/hKQ4VTnAEL
♥ 0 · ↻ 0 · 💬 0
@mdistiqurrahmanX · 5/3/202617 million domains at risk today. cPanel hit with a massive auth bypass: CVE-2026-41940 Attackers get full root access. I've built SEO systems since 2008. Rankings drop to zero if you get hijacked. Patch your servers. Check your logs... #cPanelSecurity #ServerSecurity https://t.co/LxtsvDWo1B
♥ 0 · ↻ 0 · 💬 0
@NewsDaily18579X · 5/3/2026🟡 A new cPanel flaw tracked as CVE-2026-41940 is being mass-exploited in "Sorry" ransomware attacks to breach websites and encrypt data. CVE: CVE-2026-41940 Target: cPanel According to BleepingComputer. #cPanelExploit #Ransomware
♥ 0 · ↻ 0 · 💬 0
@Ransom_DBX · 5/3/2026CVE-2026-41940 is a critical cPanel & WHM authentication bypass flaw that is being widely exploited to break into hosting servers and deploy the Linux-focused “Sorry” ransomware. The attacks have already impacted tens of thousands of exposed cPanel systems, with victims seeing https://t.co/A7JXmFMfXr
♥ 0 · ↻ 0 · 💬 0
@StrongKeepCyberX · 5/3/2026SMEs, beware: a critical cPanel flaw (CVE-2026-41940) is being mass exploited by Sorry ransomware to encrypt site data. Patch fast, verify backups, and check hosting configs. No doom-mongering, just patch and protect. More: https://t.co/zazhbpeuSr
♥ 0 · ↻ 0 · 💬 0- @hendryadrian.bsky.socialBluesky · 5/3/2026
A critical auth bypass in WHM and cPanel (CVE-2026-41940) is being mass-exploited to deploy "Sorry" ransomware on 44,000+ servers, encrypting files with a .sorry extension. #CVE202641940 #LinuxRansomware #HostingSecurity
♥ 0 · ↻ 0 · 💬 0 
@TweetThreatNewsX · 5/3/2026A critical auth bypass in WHM and cPanel (CVE-2026-41940) is being mass-exploited to deploy "Sorry" ransomware on 44,000+ servers, encrypting files with a .sorry extension. #CVE202641940 #LinuxRansomware #HostingSecurity https://t.co/vmrIeFArmT
♥ 0 · ↻ 0 · 💬 0
@cybrsecpathX · 5/3/2026Weaponized cPanelSniper PoC Supercharges Global Exploitation of CVE-2026-41940 https://t.co/063xHTVXQT #cPanel #Vulnerability #Authentication #Cyberattack #Cybersecurity
♥ 0 · ↻ 0 · 💬 0
@PTGLondonX · 5/3/20261.5 million cPanel instances vulnerable to authentication bypass. Attackers demanding £7,000 ransoms from UK hosting providers. CVE-2026-41940 grants complete admin co https://t.co/b2VhSeOAyp
♥ 0 · ↻ 0 · 💬 0
@mantancino_X · 5/3/2026The gap between internet-exposed surfaces and active compromises defines the current hosting crisis. While CISA added CVE-2026-41940 to the KEV catalog on April 30, 2026, the 1.5 million exposed cPanel instances represent a theoretical attack surface, not a victim count.
♥ 0 · ↻ 0 · 💬 1
@PurpleOps_ioX · 5/3/2026📢 𝐂𝐫𝐢𝐭𝐫𝐢𝐜𝐚𝐥 𝐜𝐏𝐚𝐧𝐞𝐥 𝐟𝐥𝐚𝐰 𝐦𝐚𝐬𝐬-𝐞𝐱𝐩𝐥𝐨𝐢𝐭𝐞𝐝 𝐢𝐧 "𝐒𝐨𝐫𝐫𝐲" 𝐫𝐚𝐧𝐬𝐨𝐦𝐰𝐚𝐫𝐞 𝐚𝐭𝐭𝐚𝐜𝐤𝐬 • A cPanel flaw (CVE-2026-41940) is being mass-exploited in "Sorry" ransomware attacks. • An emergency update for WHM and cPanel was released to fix https://t.co/92YYFEVWjY
♥ 0 · ↻ 0 · 💬 0
@ThreatAftX · 5/3/2026🔐cPanel CVE-2026-41940 (CVSS 9.8): pre‑auth CRLF injection → root access → “Sorry” ransomware. 📍 44,000+ IPs compromised (Shadowserver) 🎯 1.5M exposed instances 📅 CISA patch deadline: May 3 Full analysis + IOCs 🔗 https://t.co/15lmhZEjEY #ThreatIntel #cPanel #ZeroDay
♥ 0 · ↻ 0 · 💬 0
@obscariesX · 5/3/2026🚨 New weaponized PoC in the wild cPanelSniper turns the recent critical cPanel/WHM auth bypass (CVE-2026-41940) into a mass-exploitation tool. 🔗 https://t.co/UCvtAq97Es #BugBounty #CyberSecurity #Infosec #WebSecurity #Hacking https://t.co/s7IE4z9Kt7
♥ 0 · ↻ 0 · 💬 0
@compuchrisX · 5/3/2026In Regard to CVE-2026-41940 #CISO https://t.co/Lyhq9PgvdZ
♥ 0 · ↻ 1 · 💬 0- @postac001.bsky.socialBluesky · 5/3/2026
cPanelの脆弱性(CVE-2026-41940)が悪用され、「Sorry」ランサムウェア攻撃でウェブサイトが侵害されデータが暗号化されている。
♥ 0 · ↻ 0 · 💬 0 
@TheCyberSecHubX · 5/3/2026cPanel zero-day exploited for months before patch release (CVE-2026-41940) https://t.co/RLkewii6yd
♥ 0 · ↻ 0 · 💬 0- @potato.softwareBluesky · 5/3/2026
🔒 Critrical cPanel flaw mass-exploited in "Sorry" ransomware attacks A new disclosed cPanel flaw tracked as CVE-2026-41940 is being mass-exploited to breach websites and encrypt data in "S... https://is.gd/lXtL8B #PotatoSecurity #InfoSec #CrustyTLDR
♥ 1 · ↻ 0 · 💬 0 - @crustytldr.bsky.socialBluesky · 5/3/2026
🔒 Critrical cPanel flaw mass-exploited in "Sorry" ransomware attacks A new disclosed cPanel flaw tracked as CVE-2026-41940 is being mass-exploited to breach websites and encrypt data in "S... https://is.gd/lXtL8B #CyberSecurity #InfoSec #CrustyTLDR
♥ 0 · ↻ 0 · 💬 0 
@securerailX · 5/3/2026cPanel flaw CVE-2026-41940 already being mass-exploited into “Sorry” ransomware. If you run hosting panels, patching isn’t a someday task — exposed admin software gets found fast. #CyberSecurity #InfoSec https://t.co/P6ZzFRJRcp
♥ 0 · ↻ 0 · 💬 0- @compuchrisX · 5/3/2026
The Internet Is Falling Down, Falling Down, Falling Down (cPanel & WHM Authentication Bypass CVE-2026-41940) - watchTowr Labs #CISO https://t.co/Ie7TyLnS3g
♥ 0 · ↻ 0 · 💬 0
