cPanel/WHM: Unauthorized access to web server configuration tool possible

Attackers can exploit a “critical” security vulnerability in the cPanel and WebHost Manager (WHM) web server administration software to gain unauthorized access. So far, there are no reports of ongoing attacks from the software manufacturer. Admins should still install the security update promptly.

The Danger

According to the description of the vulnerability (CVE-2026-41940), remote attackers can bypass authentication through an unspecified method and access the control panel. What they can do afterward is currently still unclear.

In a warning message, the developers state that all versions from 11.40 are affected. They assure that the security problem has been resolved in the following cPanel/WHM versions:

• 11.86.0.41
• 11.110.0.97
• 11.118.0.63
• 11.126.0.54
• 11.130.0.19
• 11.132.0.29
• 11.136.0.5
• 11.134.0.20
• WP Squared version 136.1.7

Protecting Instances

The command /scripts/upcp –force initiates an update. With /usr/local/cpanel/cpanel -V, admins can check the installed version. Afterwards, a restart via /scripts/restartsrv_cpsrvd is necessary.

If admins cannot install the security patch immediately, they must protect instances via a temporary solution. To achieve this, they block ports 2083, 2087, 2095, and 2096 or stop the services cpsrvd and cpdavd with the command whmapi1 configureservice service=cpsrvd enabled=0 monitored=0 && whmapi1 configureservice service=cpdavd enabled=0 monitored=0 && /scripts/restartsrv_cpsrvd --stop && /scripts/restartsrv_cpdavd –stop

In the warning message, the developers offer a script that admins can use to detect already attacked instances.

Last August, the developers also closed security vulnerabilities in cPanel that were considered highly risky.

(des)