Hacking/Ping Test News Last 48 Hours cPanel

cPanel and WHM are currently under active exploitation for a critical zero-day authentication bypass vulnerability (CVE-2026-41940) with a CVSS score of 9.8. Discovered and patched in late April 2026, this flaw allows attackers to bypass login screens and gain full administrative control over hosting systems, potentially compromising millions of websites.

Key Details

Vulnerability Mechanism: The bug stems from improper session handling and CRLF injection in the login process, where user-controlled input in the Authorization header is written to server-side session files before authentication.
Active Exploitation: Evidence suggests hackers have been abusing this vulnerability for months, with some providers detecting attempts as early as February 23, 2026. Proof-of-concept (PoC) code is currently circulating online.
Affected Systems: The flaw impacts all supported versions of cPanel and WHM (specifically v11.40 and later), as well as WP Squared v136.1.7. Shodan data indicates approximately 1.5 million cPanel instances are exposed to the internet.
Mitigation: cPanel has released emergency patches. Until updated, administrators are urged to block inbound traffic on ports 2083, 2087, 2095, and 2096 at the firewall and restart the cpsrvd service. Simply closing ports may be insufficient due to alternative access mechanisms identified by security researchers.

As of May 1, 2026, a critical, actively exploited zero-day vulnerability in cPanel & WHM (CVE-2026-41940) dominates cybersecurity news, with reports indicating it has been exploited for months. The vulnerability, which carries a maximum CVSS score of 9.8, allows unauthenticated remote attackers to bypass login screens and gain full administrative (root) control over servers.

48-Hour News Summary: cPanel CVE-2026-41940

Active Exploitation: The bug was disclosed on April 28, 2026, but reports suggest malicious exploitation began as early as February 23, 2026.
Mass Impact: Roughly 1.5 million cPanel instances are exposed online, with millions of websites potentially affected.
Emergency Patches: cPanel released patches for all supported versions (11.40+) on April 28-29, 2026.
Industry Response: Major hosts like Namecheap, HostGator, and KnownHost quickly blocked port access (2083/2087) to apply patches.
Technical Details: The vulnerability is a Carriage Return Line Feed (CRLF) injection, allowing attackers to manipulate session files and elevate privileges.

10 Examples of Recent cPanel Hacking Incidents & Findings (Last 48 Hours)

	Example/Incident	Details
1	Root Takeover (Feb 23-April 28)	Hackers exploited the zero-day to gain root access without credentials over a 2-month period.
2	CRLF Injection Exploitation	Attackers used specifically crafted HTTP headers to inject malicious values into session files.
3	KnownHost Breach Attempts	CEO confirmed ~30 servers showed signs of unauthorized access attempts in late April.
4	Namecheap Port Blocking	Namecheap blocked port 2083/2087, disabling customer cPanel access to apply emergency patches.
5	PoC Exploit Release	Security firm watchTowr released technical details and a detection script, confirming the exploit path.
6	WP Squared Targeted	The bug affected WP Squared (WordPress hosting), prompting a specific update to v136.1.7.
7	CISA KEV Addition	CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog on April 30.
8	Session File Manipulation	Attackers bypassed auth by creating a dummy session file, then updating it to grant admin rights.
9	Rapid7 Analysis	Rapid7 confirmed the issue affects all supported cPanel versions after 11.40.
10	Shared Hosting Compromise	Potential for attackers to access all websites on a shared server, not just one account.

Recommendations for Administrators

Update Immediately: Run /scripts/upcp --force to apply emergency patches.
Check Logs: Review access logs for suspicious whostmgrsession cookie behavior.
Restart Service: Restart cpsrvd to finalize the security patch.

Disclaimer: This information is based on reports from security news sources and vendor advisories published around April 28-May 1, 2026.

How To Protect Your Website Against cPanel Hack

Immediate patching is the only definitive protection against CVE-2026-41940; update your cPanel & WHM to a patched version immediately using the command /scripts/upcp --force. Supported patched versions include 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5. After updating, restart the cpsrvd service with /scripts/restartsrv_cpsrvd to ensure the new authentication logic is loaded.

If you cannot patch immediately, apply these temporary mitigations to block exploitation:

Firewall Rules: Block inbound traffic on TCP ports 2083, 2087, 2095, and 2096 at your firewall level.
Service Stop: Stop the cPanel and DAV services entirely using the commands: whmapi1 configureservice service=cpsrvd enabled=0 monitored=0 && whmapi1 configureservice service=cpdavd enabled=0 monitored=0 && /scripts/restartsrv_cpsrvd --stop && /scripts/restartsrv_cpdavd --stop.

You must also audit your server for compromise, as the vulnerability was exploited as a zero-day for at least 30 days prior to the patch.

Run the official cPanel detection script to check for indicators of compromise (IoCs) in session files.
Manually inspect /var/cpanel/sessions/raw/ for pre-auth sessions containing user=root, tfa_verified=1, or token_denied=1.
Purge all affected sessions by clearing the /var/cpanel/sessions directory and force password resets for root and all WHM users.

Note: We do use YouTube Video’s under the “Fair Use” Act under the Copyright Law:

“Fair use is a doctrine in the United States copyright law codified in Section 107 of the Copyright Act of 1976.¹ It provides for the legal, non-licensed citation or incorporation of copyrighted material in another author’s work without requiring permission from the rights holders, such as for commentary, criticism, news reporting, research, teaching or scholarship.⁰¹ The U.S. Copyright Office Fair Use Index should prove helpful in understanding what courts have to date considered to be fair or not fair but it is not a substitute for legal advice.²“