Pentest-Instruments.com has launched a free, no-login scanner for CVE-2026-41940, the vital authentication bypass affecting cPanel & WHM and WP Squared that has been actively exploited within the wild since a minimum of February 2026.
The vulnerability, rated CVSS 9.8 Important and added to CISA’s Recognized Exploited Vulnerabilities catalog, permits an unauthenticated attacker to bypass cPanel’s login course of fully by exploiting a CRLF injection flaw in cpsrvd, the cPanel service daemon. By manipulating the whostmgrsession cookie, an attacker can inject authentication state flags right into a session file earlier than it’s validated, granting full entry with out credentials, consumer interplay, or particular privileges.
The size of publicity is important. Roughly 1.5 million cPanel and WHM interfaces are immediately reachable from the web, in accordance with Shodan knowledge from April 2026. As a result of a single cPanel server usually hosts dozens to a whole bunch of separate buyer accounts, a profitable exploit impacts each account on that server, not simply the first account holder. Each the cPanel consumer interface (ports 2082/2083) and the WHM administrator interface (ports 2086/2087) are impacted, together with XML-API and UAPI endpoints that depend on session authentication.
What makes this vulnerability significantly notable is how lengthy it went undetected. KnownHost CEO Daniel Pearson has confirmed that his firm noticed exploitation makes an attempt as early as February 23, 2026, 64 days earlier than any public advisory, patch, or CVE existed. Lively ransomware and botnet campaigns have since been documented throughout compromised cPanel infrastructure.
A patch was launched by cPanel & WHM on April 28, 2026, and Cloudflare deployed an emergency WAF rule on April 30 as a partial network-edge mitigation for infrastructure behind Cloudflare. WP Squared has additionally launched an advisory. watchTowr Labs revealed an in depth technical evaluation and proof-of-concept.
The Pentest-Instruments.com scanner goes past model banner checking: it sends a crafted CRLF payload to the cPanel login endpoint and assesses exploitability primarily based on the server’s precise response. The staff notes that model checks alone usually are not enough to verify whether or not a given occasion is genuinely in danger.
“Patch first,” stated the Pentest-Instruments.com safety staff. “Examine the model desk and replace to the primary patched construct in your department. If you happen to’re behind Cloudflare, confirm the Managed Ruleset is enabled. Then lock down ports 2082, 2083, 2086, and 2087 to trusted IP ranges and watch your entry logs for classes that authenticate suspiciously quick. Model checks alone received’t let you know should you’re truly exploitable.”
For organisations that can’t patch instantly, the advisable interim steps are to limit cPanel and WHM port entry to trusted IP ranges, confirm Cloudflare Managed Ruleset protection if relevant, and monitor entry logs for classes with unusually quick time-to-authenticate.
The free scanner is dwell at: pentest-tools.com/network-vulnerability-scanning/cve-2026-41940-scanner-cpanel-authentication-bypass
