Skip to content
  • There are no suggestions because the search field is empty.

Critical cPanel & WHM vulnerability allows full server takeover

A critical security vulnerability in cPanel & WHM - one of the world's most widely used web hosting control panels - allows cybercriminals to take full administrative control of affected servers without a valid password.

How the vulnerability works 

cPanel & WHM manages how web servers handle user sessions - the temporary data stored when someone logs in. The vulnerability (CVE-2026-41940 with CVSS 9.8 out of 10) lies in how that session data is processed. If authentication is the lock on a door, this vulnerability removes that lock entirely by sending a specially crafted request that allows cybercriminals to manipulate session files. This makes the system believe they are already authenticated without ever providing credentials. Exploiting this vulnerability requires no prior access and can be carried out remotely over the internet, making it particularly dangerous at scale.

Why this is dangerous 

With administrative access, an attacker can read and modify any data on the server, access every hosted website and database, create backdoors or additional accounts to maintain persistence, and move laterally across the hosting infrastructure to reach other customers' sites. In shared hosting environments - where one server may host hundreds of websites - a single successful exploit can have cascading consequences.

Mitigation and next steps 

CVE-2026-41940 affects all versions of cPanel & WHM. The software runs on millions of servers globally and is a staple of the web hosting industry, used to manage websites, email accounts, databases, and domains - often on behalf of large numbers of customers sharing the same infrastructure.

cPanel has released a security update addressing this vulnerability. The Centre for Cybersecurity Belgium (CCB/CERT.be) classifies it as critical and advises applying the patch immediately, prioritizing systems exposed to the internet. System administrators should deploy the update without delay. 

Note: Patching addresses future exploitation but does not remediate a compromise that has already occurred. Any organization that suspects its systems may have been accessed prior to patching should investigate and, where applicable, report the incident to the relevant national authority. 

Holm Security’s response   

Holm Security is working on a test to scan for this vulnerability.

Scan for specific vulnerabilities 

Read how you can include or exclude a specific vulnerability in a scan profile here