CVE-2026-41940: cPanel & WHM Authentication Bypass Under Active Ransomware Exploitation

A critical authentication bypass in WebPros cPanel & WHM and WP2 (WordPress Squared) lets unauthenticated remote attackers walk straight into the control panel, and CISA has confirmed active use in ransomware campaigns.

What Is It

CVE-2026-41940 is a missing-authentication-for-critical-function flaw (CWE-306) in the login flow of cPanel & WHM and WP2 (WordPress Squared). An unauthenticated remote attacker can bypass the login mechanism and gain unauthorized access to the control panel; no credentials, no user interaction, no special access required. NVD scores it CVSS 3.1 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H); CVSS 4.0 puts it at 9.3.

Why It Matters

cPanel and WHM are the dominant control panels for shared hosting and reseller environments worldwide, meaning a single working exploit gives attackers a path to thousands of customer sites per compromised server. CISA added the bug to its Known Exploited Vulnerabilities catalog on 2026-04-30 and flagged it as Known to be used in ransomware campaigns. Reporting referenced in the source material ties exploitation to the "Sorry" ransomware operation and describes mass exploitation across the internet.

What's Vulnerable

Per NVD, the flaw affects cPanel and WHM versions after 11.40, across every actively supported branch. Fixed builds are:

• 86.0.41, 110.0.97, 118.0.63, 124.0.35, 126.0.54, 130.0.19, 132.0.29, 134.0.20, and 136.0.5

Anything earlier in each branch is vulnerable. WP2 (WordPress Squared) is also affected; refer to the WP2 changelog for the fixed build.

Patch Status

WebPros shipped fixes in the cPanel & WHM Security Update dated 2026-04-28. CISA's required action: apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The federal due date was 2026-05-03, already past, making this an immediate patch priority for any operator still on a vulnerable build. WP2 users should upgrade per the WP2 changelog (entry #13617).

Sources

• CISA KEV Catalog; CVE-2026-41940
• NVD, CVE-2026-41940
• cPanel & WHM Security Update 04-28-2026
• cPanel Release Notes
• WP2 Changelog #13617
• VulnCheck Advisory; cPanel/WHM Authentication Bypass
• watchTowr Labs; Technical Analysis
• BleepingComputer; Mass Exploitation in "Sorry" Ransomware Attacks
• Namecheap Status; Ongoing Critical cPanel Vulnerability