cPanel Zero-Day Gave Attackers Root Access to 70 Million Domains for 30+ Days

A critical authentication bypass vulnerability in cPanel/WHM gave attackers unauthenticated root access to servers managing over 70 million domains globally, with evidence of active exploitation dating back at least 30 days before the April 28 public disclosure.

CVE-2026-41940, assigned a CVSS score of 9.8 out of 10, affects all currently supported cPanel/WHM versions after 11.40, according to The Hacker News. The vulnerability stems from a CRLF injection flaw in the cpsrvd daemon’s session-handling code, allowing attackers to bypass password validation entirely and gain root-level access to Web Host Manager (WHM) control panels. With 94.19% market share in the web hosting control panel sector, cPanel’s compromise represents a supply-chain attack on internet infrastructure.

Exploitation Timeline and Disclosure Gap

Daniel Pearson, CEO of KnownHost, confirmed that “this has absolutely been used in the wild, and has been seen at least for the last 30 days if not longer,” in comments to The Hacker News. Security researchers at Rapid7 found evidence suggesting exploitation may have begun as early as February 23, 2026 — more than two months before the public advisory.

The vulnerability was reportedly disclosed to cPanel approximately two weeks before the April 28 public announcement, per webhosting.today. This gap between private disclosure and public advisory created a window during which hosting providers remained unaware of the threat while exploitation continued. cPanel released patches approximately 2-3 hours after going public, but full deployment across major providers took an additional 6-7 hours.

Technical Mechanism and Attack Surface

The root cause was a missing sanitization function in the cpsrvd daemon’s session-saving code path, enabling CRLF (carriage return/line feed) injection attacks. Technical analysis from watchTowr Labs demonstrates how attackers could manipulate HTTP headers to inject malicious session data, granting full administrative access without credentials.

An attacker with this access can read every customer hosting account, modify files and databases, create backdoor accounts, install malware, steal credentials, and pivot into customer networks, per The Hacker News. The shared hosting model amplifies the impact: a single compromised WHM instance can cascade into hundreds or thousands of downstream website compromises.

Eye Security estimates approximately 2 million cPanel instances are internet-exposed, while Shodan searches identified roughly 1.5 million accessible instances as of April 29, according to Cyber Insider.

Provider Response and Mitigation

Within hours of the public advisory, major hosting providers implemented emergency port blocks on cPanel (2082/2083), WHM (2086/2087), Webmail (2095/2096), and WebDisk (2077/2078) interfaces while deploying patches. Namecheap completed patching by 10:42 PM EDT on April 28. KnownHost finished by 10:21 PM, while hosting.com recovered by 11:40 PM CST, per webhosting.today.

Patched versions include 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5, per Cyber Kendra. However, the global distribution of smaller and regional hosting providers means patch coverage remains incomplete. Servers running unsupported cPanel versions remain vulnerable indefinitely.

KnownHost observed approximately 30 attempted compromises across thousands of servers during the vulnerability window, according to their community forum incident documentation.

Potential Threat Scenarios

The combination of a 30+ day exploitation window, delayed public disclosure, and root-level access to shared hosting infrastructure creates conditions attractive to both cybercriminal and state-sponsored operations. Shared hosting providers serving small businesses, financial services firms, and government contractors represent high-value targets for credential harvesting, supply-chain insertion, and lateral movement into customer networks.

The vulnerability’s technical simplicity — requiring no prior authentication or complex exploitation chains — lowers barriers to entry. Ransomware operators, cryptomining groups, and data exfiltration campaigns could all leverage the flaw. In environments where hosting providers serve critical infrastructure clients or government agencies, the potential for state-actor weaponisation increases significantly.

What to Watch

Incident response teams should prioritise forensic analysis of server access logs dating back to late February. Evidence of session manipulation, unexpected administrative account creation, or configuration changes during the exploitation window may indicate compromise. The delayed disclosure period means organisations cannot rely solely on the April 28 public advisory date to scope their investigation timelines.

The scale of potential exposure — 1.5-2 million internet-accessible instances managing 70 million domains — makes this a supply-chain event with cascading implications. Downstream compromises of customer websites, databases, and email systems may surface over coming weeks as organisations complete their assessments. Smaller hosting providers with limited security operations capabilities face the highest risk of delayed detection and remediation.

Given the severity and confirmed exploitation, organisations should treat any cPanel/WHM infrastructure as potentially compromised until comprehensive log analysis confirms otherwise. The 30+ day head start for attackers creates a wide window for persistent access mechanisms that survive initial patching efforts.