cPanel CVE-2026-41940: 64-Day Zero-Day, 44,000 Compromised IPs, and a Targeted Run at Southeast Asian Defence and MSPs

Introduction

Ctrl-Alt-Intel has linked an exposed attacker staging server to a focused exploitation campaign against governments, militaries, and MSPs across Southeast Asia and beyond, all riding on CVE-2026-41940 — a CVSS 9.8 authentication bypass in cPanel's cpsrvd daemon. Independent telemetry from Shadowserver put roughly 44,000 IP addresses participating in scanning and brute-force exploitation at the campaign's peak before falling back to ~3,540 by May 3 as patching propagated. The vulnerability had been live in the wild for about 64 days before cPanel published the fix on April 28, 2026.

What Happened

The bug lives in cPanel's session cookie verification. The whostmgrsession cookie carries an encrypted segment that the daemon decrypts to recover the authenticated identity. Because the validation logic does not require that segment to be present, an attacker who simply omits it bypasses the cipher entirely and presents an otherwise well-formed admin session. The result is unauthenticated administrative access to WHM, with the ability to read accounts, reset passwords, exfiltrate databases and home directories, and create new privileged users. KnownHost CEO Daniel Pearson has confirmed in-the-wild exploitation traffic going back to February 23, 2026 — about two months before cPanel pushed the advisory.

On May 2, 2026, Ctrl-Alt-Intel's hunters identified an exposed C2 / staging server tied to the campaign and pulled both the operator's victim list and prior loot. The targeting reads like a defence-and-MSP brief: the Philippine Coast Guard, the Philippine Air Force 15th Strike Wing, the Philippine Government Arsenal under the Department of National Defence, the Lao Ministry of National Defence, and the Lao Ministry of Natural Resources and Environment, alongside MSPs and hosting providers in the Philippines, Laos, Canada, South Africa, and the United States. The same actor had already exfiltrated about 4.37 GB of files (110 documents) from the China Railway Society Electrification Committee in March 2026 — months before the CVE went public.

Operationally, the campaign is mostly point-and-shoot: the threat actor used a publicly available proof-of-concept for CVE-2026-41940 against any cPanel server it could fingerprint, supplemented with a custom SQL-injection chain against an Indonesian defence-sector training portal. The mass-scanning footprint — 44,000 attacking IPs at peak — is almost certainly multiple actor groups piggy-backing on the same PoC, not one nation-state crew.

Why It Matters

cPanel runs a meaningful fraction of the world's shared web-hosting infrastructure. An auth bypass on cpsrvd is functionally root over every hosted account on every box that hasn't been patched. For MSPs and hosting providers, that puts the customer estate at risk simultaneously: a single compromised cPanel server lets an attacker pivot into hundreds of independent customer environments, copy databases, and plant webshells under any of those identities.

The 64-day exposure window is the part of this story that does not get fixed by patching. Anyone running cPanel between February 23 and the install of an updated build needs to assume an unauthenticated attacker had the option to log in as any administrator at any time during that window and act on it without leaving an authentication failure.

Who Is Affected

  • All cPanel and WHM versions after 11.40 prior to the April 28, 2026 fix release for CVE-2026-41940; in practice every host that did not run automatic minor-version updates between late February and last week.
  • MSPs and hosting providers who deploy cPanel for customers — a single compromised server is a customer-tenant breach across every account on it.
  • Defence and government entities in the Philippines, Laos, and Indonesia named on the leaked Ctrl-Alt-Intel C2 dump, plus MSPs in Canada, South Africa, and the United States observed on the same victim list.
  • By extension, every email mailbox, MySQL database, WordPress install, and SSH key that lived under a /home/<user>/ directory on a vulnerable cPanel host.

How to Protect Yourself

Patch immediately. cPanel's default upcp / yum-managed update path will pull in the fix once you confirm your update tier is not stuck:

# confirm the running version (must be a build released on or after 28 April 2026)
/usr/local/cpanel/cpanel -V

# force an upcp run that ignores the staged release schedule
/scripts/upcp --force

# verify after upgrade
/usr/local/cpanel/cpanel -V
# look for the dot-release that maps to the CVE-2026-41940 fix on your tier

Even after patching, treat any cPanel host that was reachable from the internet for any portion of February 23 onwards as potentially compromised. The minimum hunt list:

# webshells / suspicious files in account home directories
find /home -type f \( -name '*.php' -o -name '*.phtml' -o -name '*.pht' \) -mtime -90 \
  -exec grep -lE 'eval\s*\(|base64_decode|preg_replace.*\\\\e|passthru|assert\(\$_' {} +

# new privileged WHM accounts
/scripts/listusers
grep -E '^(root|wheel|cpanel|admin)' /etc/passwd
awk -F: '($3<1000 && $7 ~ /(bash|sh|zsh)$/) {print}' /etc/passwd

# unexpected SSH keys placed in cpanel users' home dirs
for u in $(awk -F: '/^[^#].*home/ {print $1}' /etc/passwd); do
  test -f /home/$u/.ssh/authorized_keys && \
    echo "=== $u ===" && cat /home/$u/.ssh/authorized_keys
done

# recent additions to /etc/cron.d, /var/spool/cron, /etc/cron.daily, etc
find /etc/cron* /var/spool/cron -type f -mtime -90 -ls

Look for the specific exploitation pattern. The PoC strips a segment from whostmgrsession, so logs containing inbound requests to WHM with malformed or truncated session cookies are a high-confidence indicator:

# cpsrvd / WHM access log
zgrep -E 'whostmgrsession=[^;]+;' /usr/local/cpanel/logs/access_log* \
  | awk '{print $1, $4, $7, $9}' | sort | uniq -c | sort -rn | head -50

# look for session strings that lack the expected dot-segments
zgrep -E 'whostmgrsession=[^.]+(;| )' /usr/local/cpanel/logs/access_log*

# successful WHM admin logins from unfamiliar IPs since 23 Feb
awk '$0 ~ /WHM Login Successful/ && $0 !~ /10\./ && $0 !~ /192\.168\./' \
  /usr/local/cpanel/logs/login_log

If you find anything credible — a webshell, an unfamiliar cron job, a successful WHM login from an IP you cannot account for — escalate to incident response and rotate every secret on the host. That includes cPanel admin passwords, every customer's /etc/shadow line, any cached MySQL root creds in /root/.my.cnf, every API token created via WHM, and SSH host keys.

For MSPs and hosting providers specifically, this is the moment to subscribe to Shadowserver's free daily IP report so you find out about exploitation noise hitting your address space within the day, not the quarter:

# Shadowserver free daily reports — register your ASN/IP ranges at
# https://www.shadowserver.org/what-we-do/network-reporting/
# the relevant feed for this campaign is "device-cpanel" + "honeypot-http-scan"

If you operate cPanel servers that do not need to be reachable from the public internet, put them behind a VPN or admin-VLAN ACL today. Mass exploitation of cPanel will not stop with this CVE, and an admin port reachable from anywhere on the planet is, structurally, a higher risk than the underlying software.

Source