Pentest-Tools.com has introduced a new free scanner that requires no login, targeting the critical vulnerability known as CVE-2026-41940. This flaw affects cPanel & WHM, as well as WP Squared, and has been reportedly exploited in the wild since at least February 2026. The vulnerability is classified with a critical CVSS score of 9.8 and has been officially listed in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalog.
CVE-2026-41940 allows unauthenticated attackers to circumvent the login process of cPanel completely. This is made possible through a CRLF (Carriage Return Line Feed) injection vulnerability present in cpsrvd, the service daemon responsible for cPanel operations. By manipulating the whostmgrsession cookie, an attacker can inject authentication state flags into a session file before it is validated. This manipulation grants attackers full access without the need for credentials, user interaction, or elevated privileges, making the flaw particularly dangerous.
The scale of potential exposure due to this vulnerability is alarming. Data from Shodan in April 2026 indicates that around 1.5 million cPanel and WHM interfaces are accessible via the internet. Since a single cPanel server often hosts multiple customer accounts, a successful exploit could affect every account on that server, amplifying the impact of the breach far beyond just the primary account holder. Both the cPanel user interface accessible through ports 2082 and 2083, as well as the WHM administrator interface on ports 2086 and 2087, are susceptible, along with XML-API and UAPI endpoints that depend on session authentication.
One significant aspect of this vulnerability is how long it remained undetected. Daniel Pearson, the CEO of KnownHost, confirmed that his company noted exploitation attempts as early as February 23, 2026, which was a full 64 days before any public advisory, patch, or official CVE was issued. In the time since, multiple documented ransomware and botnet campaigns have emerged, rampaging through compromised cPanel resources.
In response to the situation, cPanel & WHM released a patch on April 28, 2026. Additionally, Cloudflare implemented an emergency web application firewall (WAF) rule on April 30 to aid in network-edge mitigation for infrastructures behind its service. WP Squared has also disseminated an advisory regarding the vulnerability. Furthermore, watchTowr Labs conducted a comprehensive technical analysis and published a proof-of-concept to elucidate the nature of the threat.
The scanner developed by Pentest-Tools.com goes beyond simple version banner checking by sending a specially crafted CRLF payload to the cPanel login endpoint and evaluating the server’s response to ascertain exploitability. The team behind this tool stresses that conventional version checks alone may not adequately determine if a specific instance is genuinely at risk.
The Pentest-Tools.com security team has provided clear recommendations for users to mitigate the risks associated with this vulnerability. They emphasized the importance of patching first, advising users to check the version table and update to the earliest patched version available for their cPanel branch. For those utilizing Cloudflare, verifying the activation of the Managed Ruleset is also advised. Additionally, it is crucial to restrict access to critical ports (2082, 2083, 2086, and 2087) to trusted IP ranges while keeping a close watch on access logs for signs of unusually rapid authentication sessions. The security team cautioned that relying solely on version checks would not ascertain whether a system is actually exploitable.
Given the urgency surrounding CVE-2026-41940, organizations unable to apply immediate patches are advised to take interim measures. These include limiting access to cPanel and WHM ports to only trusted IP ranges, confirming the coverage of Cloudflare Managed Ruleset if applicable, and meticulously monitoring access logs for sessions that exhibit suspicious authentication speeds.
For users seeking to assess their vulnerability to this critical authentication bypass, the free scanner is now available at Pentest-Tools.com. The ongoing developments concerning CVE-2026-41940 highlight the necessity of proactive cybersecurity measures, as vulnerabilities like this can have far-reaching implications across multiple customer accounts and services.