cPanel Issues Critical Patches as Zero-Day Exploitation Targets WHM with Mirai and Ransomware

cPanel has released security updates for three new WHM vulnerabilities while confirming that a critical authentication bypass (CVE-2026-41940) was weaponized a…

cPanel Issues Critical Patches as Zero-Day Exploitation Targets WHM with Mirai and Ransomware

On May 9, 2026, cPanel released urgent security updates for cPanel & WHM to address three new vulnerabilities, two of which carry CVSS scores of 8.8. Simultaneously, the vendor confirmed that a critical authentication bypass discovered in April, tracked as CVE-2026-41940, has been actively exploited as a zero-day to distribute Mirai botnet variants and a ransomware strain known as "Sorry." These patches arrive amid a period of high operational stress; major global hosting providers had previously resorted to blocking TCP ports 2083 and 2087 to mitigate the threat, effectively locking thousands of administrators out of their control panels. Because a WHM compromise grants root-level access, the flaw represents a total multi-tenant breach for shared hosting environments. For providers and administrators running cPanel/WHM, immediate updates and a thorough audit for indicators of compromise (IoC) related to CVE-2026-41940 are now critical priorities.

Key Takeaways
  • cPanel has patched three new vulnerabilities (CVE-2026-29201, CVE-2026-29202, CVE-2026-29203) with CVSS scores reaching 8.8, though no active exploitation has been reported for these specific flaws.
  • The CVE-2026-41940 authentication bypass (CVSS 9.8) was exploited as a zero-day to deploy Mirai and "Sorry" ransomware, leading CISA to add it to the Known Exploited Vulnerabilities (KEV) catalog.
  • The attack vector utilizes CRLF injection in the 'Authorization: Basic' header to manipulate session files in the cpsrvd daemon, allowing attackers to inject 'user=root' and bypass authentication.
  • WHM compromise is not limited to a single site; it provides root access to all hosted accounts, posing a severe risk of multi-tenant data theft, defacement, and lateral movement into client networks.

CRLF Injection: How a Malicious Header Grants Root Access

The vulnerability tracked as CVE-2026-41940 does not rely on a complex exploit chain but rather on a fundamental failure to sanitize the Authorization: Basic header. By sending malicious \r\n sequences within the header, an attacker can inject arbitrary properties into the session file generated by the cpsrvd daemon. Because the system writes this file without sanitization, attackers can insert directives such as user=root, effectively bypassing authentication and establishing a valid administrative session.

Once WHM is compromised, the attacker gains root privileges over the entire physical or virtual machine. This is not a localized breach of a single domain; it is a multi-tenant compromise that exposes every hosted account, database, email, and DNS configuration managed by the server. Security firm Hadrian, cited by The Hacker News, emphasized this distinction: the breach does not target a customer’s site, but rather the system that governs hundreds or thousands of them.

"Compromise of cPanel is materially different from the compromise of a single customer website. WHM grants root administrative access to the server."

Mirai and 'Sorry': The April Zero-Day as a Multi-Stage Attack Vector

cPanel has confirmed that CVE-2026-41940 was weaponized as a zero-day by threat actors to deploy variants of the Mirai botnet and a ransomware family dubbed "Sorry." The attack leverages the authentication bypass to install multiple payloads, turning shared infrastructure into both a coordination hub for botnets and a tool for encrypting end-user data.

It remains unclear if the "Sorry" ransomware has caused widely documented public incidents or if the name stems from a specific sample analyzed by security researchers. Regardless, CISA deemed the threat urgent enough to add the vulnerability to its KEV catalog, mandating that federal agencies apply patches by May 3, 2026. While the official start date of the exploitation remains unconfirmed, unofficial reports via The Hacker News suggest malicious activity was detectable at least 30 days prior to April 29, 2026.

Connectivity Crisis: Why Global Port Blocks Paralyzed Shared Hosting

In the immediate aftermath of the April disclosure, major global providers like Namecheap reacted by blocking TCP ports 2083 and 2087, the default ports for cPanel and WHM over HTTPS. While intended as a temporary mitigation before a full patch was available, the move effectively isolated thousands of system administrators from their own management interfaces. Benjamin Harris, CEO of watchTowr Labs, described the fallout: "Within hours of the advisory dropping, nearly every major hosting provider on the planet had firewalled their own customers off their own product."

This episode highlighted the inherent vulnerability of the shared hosting supply chain. When infrastructure control software suffers an authentication flaw with a CVSS score of 9.8, providers lack granular safety valves and are often forced to choose between leaving millions of sites exposed or disconnecting their customers entirely. Eye Security estimated that over 2 million cPanel instances are exposed to the internet, with an unknown number having automatic updates disabled.

The May Patch Cycle: New CVEs and Legacy Support

In addition to confirming the zero-day exploitation, cPanel's May 9, 2026, release addressed three new vulnerabilities. CVE-2026-29202 allows arbitrary Perl code execution (CVSS 8.8), CVE-2026-29203 involves unsafe symlink handling that could lead to arbitrary chmod on system files (CVSS 8.8), and CVE-2026-29201 allows arbitrary file reads (CVSS 4.3). At the time of the advisory, there was no evidence that these three flaws had been exploited in the wild.

The technical core of these new patches involves critical components: the create_user API for Perl execution, the adminbin LOADFEATUREFILE for file reads, and symlink management for system permission modifications. Even without active exploitation, these flaws could facilitate persistence and local privilege escalation in an already compromised environment. It has not been confirmed whether these vulnerabilities were discovered during the investigation into CVE-2026-41940 or via independent research.

For servers still running on legacy platforms like CentOS 6 or CloudLinux 6, cPanel made version 110.0.114 available as a direct update, extending support beyond standard lifecycles. This decision reflects the vendor's awareness that the legacy install base remains significant and that leaving even a small percentage of instances unpatched creates massive security gaps across the internet.

Recommended Mitigation and Response

  • Immediately apply the May 2026 updates for cPanel & WHM, ensuring systems reach the versions specified in the official advisory. Legacy CentOS 6 or CloudLinux 6 systems should be updated to version 110.0.114.
  • Execute the IoC script provided by cPanel, ioc_checksessions_files.sh, to detect compromised sessions linked to CVE-2026-41940 and identify unauthorized access that may have occurred prior to patching.
  • Audit access logs for ports 2083 and 2087 for the period leading up to April 29, 2026, as exploitation may have been active for 30 days prior to that date.
  • Isolate any servers showing signs of compromise, reset all administrative credentials, and verify the integrity of system files, symlinks, and user accounts to rule out backdoors or permission changes introduced via CVE-2026-29203.

The cPanel crisis of May 2026 serves as a critical test for the resilience of the shared hosting model. When the control panel itself becomes the point of failure, the security of millions of websites hinges on a vendor's ability to fix a single line of code. For industry operators, the lesson is clear: administrative segmentation and redundant control systems are no longer optional—they are prerequisites for securing an infrastructure that manages over 70 million domains.

Frequently Asked Questions

Are the three new vulnerabilities patched in May related to the CVE-2026-41940 zero-day?

It has not been confirmed whether CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203 were discovered during the zero-day investigation or are independent issues. cPanel did not specify a causal link in its May 9, 2026, advisory.

Why is a WHM compromise more dangerous than an attack on a single website?

WHM provides root access to the physical or virtual server. An attacker with this level of access can read, modify, or delete all hosted accounts, access multi-tenant databases, install persistent backdoors, and move laterally into client networks.

Can administrators on CentOS 6 or CloudLinux 6 still protect their servers?

Yes. cPanel released version 110.0.114 as a targeted update for these legacy platforms, allowing administrators to apply critical security fixes despite the platforms being outside standard support cycles.

Information verified against cited sources and current as of the date of publication.

Sources