Managed Servers (KVM VPS)

Please note that cPanel had at least 2 defects in the security updates released yesterday.

• 1st flaw resulted in the update not applying to machines at all, despite following instructions
• 2nd flaw resulted in the update not applying until the cpsrvd daemon was restarted manually

Our concerns had negated the 2nd, though we were assured the 1st was not true - yet confirmed now it is, so we have gone further and ensured that the patch has been forcefully applied to the handful of machines (again).

Sadly, it seems that cPanel are not being truthful, as evidence is surfacing of machines compromised 1-5 weeks ago despite them holding firm on it being a 2-day problem only. They have deleted their Security web page entirely, and are silently updating their public advice multiple times without notifying anyone of the same.

Watchtowr Labs have released their proof-of-concept against this vulnerability, and it’s incredibly simple.

https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py/

Here is the rough sequence followed: CRLF injection with do_token_denied gets a bogus root session into cache, and from there you have total access to a vulnerable machine… which also means easy to graduate to SSH.

For our technical clients, please see below which is also available at the Watchtowr Labs repository above:

[0] hostname = 
[1] minting a preauth session...
    session base = :vQ2WC5Bexp0oFSa7
[2] sending the CRLF injection (Basic auth + no-ob cookie)...
    HTTP 307, leaked token = /cpsess5691070609
[3] firing do_token_denied to propagate raw -> cache...
    HTTP 401, gadget fired
[4] verifying we're WHM root...
    /json-api/version -> HTTP 200  {"version":"11.110.0.89"}

We know they’ve been internally battling decades-old legacy problems without much clue how to handle it, especially now that a large percentage of their Product and Engineering staff have been fired or moved on.

Suffice to say we’re beyond relieved to have taken strides to migrate away to a better system (DirectAdmin)!

The issue has been raised as CVE-2026-41940 and covers all versions from v40 (2013) through v136 (2026), although so far v40 (2013) through v98 (2021) remain unpatched and just as vulnerable to the exploit. cPanel have this morning emailed customers just after 6am Sydney time - their very first proper communication.

• Issue now confirmed to cover 13+ years of cPanel
• Exploit scope now also spread to cover DNSONLY
• Mitigation now requires patch & a service restart
• https://nvd.nist.gov/vuln/detail/CVE-2026-41940
• Email sent 18~ hours after patch was released

It seems they have finally opened their eyes to needing to back-port this even further:

“We are currently working on finding paths to get a patch to versions not included above, especially for versions that have higher quantities of servers.”

Note that this relates to CWE-306 “Missing Authentication for Critical Function”, implying almost no effort being needed to access the root user. cPanel v40 was a large update in 2013, adding IPv6 & better managing updates.

As of 2 hours ago, they have also now advised that updating servers to a patched version will not fix the exploit, instead cpsrvd also must be restarted as a service, else the binary will continue running the hackable version.

We have not received a response about when and why they deleted their Security CVE/TSR web page entirely.

Please note that reading between the lines, going off the limited info they have released and other things going on with regard to attacks against cPanel+WHM, it seems that this may have been known to them for 1+ month and the exploit available in the code-base at least back to the 2000’s - “almost all known cPanel versions” (KH).

Synergy Wholesale have had an active incident since the 20th of March 2026, so 5+ weeks now, where they have disabled routing for /cpanel /whm /webmail etc proxy routing “folder shortcuts” due to on-going attacks. We know that they are mostly exposed due to remaining on EOL CloudLinux v7 (Synergy, not Merlot) which limits the cPanel version to v110, and they’ve been waiting for a fix to be back-ported - and in the interim disabled the routing.

• https://status.synergywholesale.com/notices/dds6hmt8d46fguzw-temporary-cpanel-service-routing-disabled
• Note that it relates to multiple authentication paths /cpanel /whm /webmail which fits the late April fix as well

However, Namecheap reported the 0-day side of this on their 28th of April 2026, and firewall blocked ports 2083 and 2087 immediately, with a fix coming through just 3 hours later. What’s especially interesting is that they’re not talking about the /cpanel etc proxy entry points for authentication. At the time of this addendum, the cPanel Product Team still have not sent out their official communication to customers about the vulnerability.

It seems almost certain the two are related, and that the lag on the “nuisance attacks” allowed others to find the more broad spectrum impact/surface of the flaw. We know that the flaw goes back decades in cPanel’s code.

• “successful exploits have been seen in the wild” + “webmail 2096 also exploitable”: KnownHost Advisory
• “we have applied a firewall rule to block access”: Namecheap advisory, also once scope spread to ports

As it runs millions of websites globally and there are a large number of servers which run pre-v110 installations of which WebPros have so far chosen to not patch despite seemingly being equally vulnerable, it’s quite bleak.