Critical cPanel Vulnerability CVE-2026-41940 Under Active Exploitation: Passwordless Root Access

On April 28, 2026, cPanel confirmed the release of a patch for CVE-2026-41940, a critical pre-authentication vulnerability with a CVSS score of 9.8. The flaw allows a remote attacker to establish a root session without providing credentials. While the vendor released updates within approximately 28 hours of confirming the bug, researchers have documented in-the-wild exploitation dating back to February. More than 2,000 malicious IP addresses remain active, targeting unpatched instances. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on May 1, 2026, highlighting the severe risk to providers and shared infrastructure.

Anatomy of the Bypass: CRLF Injection in the cpsrvd Session Manager

The root of the issue lies in the cpsrvd daemon, the core service for cPanel, WHM, and WP Squared. During the Basic authentication flow, the server writes session data to the disk via a path that lacks input sanitization. An attacker can inject \r\n sequences into the raw session file, effectively altering the internal structure of the document.

"Two separate code paths write to session files on disk: one path included an input-sanitisation step; a second path, invoked during Basic authentication handling, did not." — cPanel security advisory

When the session manager encounters a specific error condition—the "token denied" message—it re-parses the raw content into a JSON cache. During this conversion, the malicious lines are promoted to top-level keys. Among these is the successful_internal_auth_with_timestamp flag, which tricks the system into believing internal credentials have already been verified. The password check is bypassed, the session is marked as authenticated, and within the context of cPanel/WHM, it frequently gains root privileges, leading to immediate Remote Code Execution (RCE).

The omission of a single sanitization function call in a secondary branch of the authentication code opened a massive security hole across thousands of shared servers.

Silent Exploitation: A Timeline from February to the April Patch

While public disclosure occurred in late April, evidence gathered by watchTowr Labs indicates that in-the-wild exploitation was already underway by February 2026. Researchers published a root cause analysis and a proof-of-concept, confirming that attacks preceded the availability of the official patch by several weeks.

cPanel responded with a rapid update cycle, making patches available roughly 28 hours after internal confirmation of the vulnerability. By May 10, 2026, the vendor stated that over 98% of cPanel and WHM servers had received the fix. However, the remaining 2%—in an ecosystem estimated at 1.5 million installations—represents a significant attack surface, often comprised of providers with disabled updates, legacy versions, or pinned repositories.

CISA's inclusion of CVE-2026-41940 in the KEV catalog on May 1, 2026, mandated immediate action for U.S. federal agencies and served as a formal warning regarding the severity of the active exploitation.

Filemanager and Mr_Rot13: Tracking Malicious Campaigns

Parallel to the technical analysis, QiAnXin XLab documented a specific campaign exploiting the vulnerability to deploy a backdoor named "Filemanager." Specialized reports attribute this payload to the threat actor "Mr_Rot13," noting that this campaign is part of a broader landscape of automated attacks.

The backdoor, written in Go, ensures persistence on compromised servers through additional SSH keys, webshells, and credential harvesting via injected login pages. cPanel’s official advisory does not mention Mr_Rot13 or the Filemanager backdoor, focusing instead on the root cause and update metrics. Consequently, it remains unclear if the XLab campaign represents the entirety of the exploitation or just one of many concurrent threats.

QiAnXin XLab estimates that more than 2,000 malicious IP addresses worldwide are currently involved in automated attacks against this vulnerability. The same source reported the theft of approximately 4.37 GB of sensitive data from government and military entities in Southeast Asia, though this figure has not been independently verified by primary vendor sources.

The Residual Risk: Why Patching Is Only the First Step

While the percentage of patched servers is high, the absolute number of unpatched instances remains concerning. Servers with disabled auto-updates, legacy environments, or third-party hosting configurations may remain exposed for weeks. cPanel recommends treating any instance not updated by April 28 as potentially compromised, even if there are no obvious signs of intrusion.

Persistence mechanisms introduced by attackers make remediation complex. Unauthorized SSH keys, webshells hidden in non-standard paths, and login page modifications for credential harvesting often survive the application of the security patch. Without a structured incident response, an updated server may remain under attacker control.

Required Mitigation and Remediation

• Immediately apply the updates released on April 28, 2026. Ensure that WHM and WP Squared installations are included, as the bug resides in the shared cpsrvd daemon.
• Treat any server unpatched as of April 28 as a high-risk asset. Conduct a full audit of authorized SSH keys, search for hidden webshells, and inspect login pages for anomalies indicative of credential harvesting.
• Correlate pre-April access logs with Indicators of Compromise (IoCs) from independent threat intelligence, including the 2,000+ malicious IPs identified by QiAnXin XLab, to identify past exploitation attempts.
• Disable auto-update blocks and move away from legacy pinned versions that prevent the delivery of critical security fixes. Monitor Basic authentication paths for residual CRLF injection attempts.

The window between the silent exploitation in February and the April patch provided ample time for attackers to compromise shared servers. The vendor's rapid patch response does not negate the need for a thorough forensic review of any instance that lagged behind the update cycle.

Frequently Asked Questions

Does this vulnerability only affect cPanel?

No. The bug is located in the cpsrvd daemon, a component shared by WHM and WP Squared. Any platform using a vulnerable version of this session management service is exposed.

Is a server patched on April 29 considered secure?

The patch blocks the initial entry vector, but it does not remove payloads or unauthorized access points established before the update. If the server was exposed during the exploitation window, a full incident response is necessary.

How did a single session file lead to a total bypass?

The lack of sanitization in a specific branch of the Basic authentication code allowed for CRLF injection into a raw session file. When the system later re-parsed this file as JSON, the injected lines were elevated to top-level parameters—including the flag marking the session as internally authenticated—effectively bypassing all password requirements.

Information has been verified against cited sources and is current as of the time of publication.

Sources

• https://thehackernews.com/2026/05/cpanel-cve-2026-41940-under-active.html
• https://securityaffairs.com/192013/cyber-crime/attackers-exploit-cpanel-cve-2026-41940-to-deploy-filemanager-backdoor.html
• https://thomasharris6.wordpress.com/2026/05/11/cpanel-cve-2026-41940-under-active-exploitation-to-deploy-filemanager-backdoor/
• https://www.picussecurity.com/resource/blog/cve-2026-41940-explained-cpanel-whm-authentication-bypass-hit-1-5m-servers
• https://www.cpanel.net/blog/security/security-update-cve-2026-41940/