If you’re running cPanel/WHM and haven’t patched yet, stop what you’re doing.

We’ve just finished assisting with a restoration on a server that was hit by this (not one of our boxes) - and it’s as bad as it sounds. Full root-level compromise, web shells dropped, the works.

Quick summary for those who haven’t seen it yet: CVE-2026-41940 is a pre-authentication CRLF injection in cpsrvd that lets an attacker inject arbitrary properties into a session file before any credential check occurs - effectively granting themselves root WHM access with a single crafted HTTP request. CVSS 9.8, no privileges required, no user interaction, remotely exploitable. A public PoC has been out since April 29 and Shadowserver was seeing ~44K IPs actively scanning within 24 hours of disclosure. CISA added it to the KEV catalog same day.

Affects all cPanel/WHM versions after v11.40. Patches dropped April 28 - update to your track’s fixed version and restart cpsrvd.

If you patched after the vulnerability was already being exploited (in the wild since at least February 23), treat the server as compromised and investigate - don’t just patch and move on.

We’ve written up a full breakdown including the exploit chain, CVSS breakdown, IoCs to look for, and the disclosure timeline here: https://vetta.nz/cve-2026-41940-critical-authentication-bypass-in-cpanel-and-whm/ - hopefully this is helpful!

TL;DR: If you work with, or on, cPanel servers - check and do the thing right now!