Back to Intelligence

CVE-2026-41940: cPanel Administrative Access Compromise — Detection and Remediation Guide

SA
Security Arsenal Team
May 4, 2026
5 min read

Executive Summary

A critical security vulnerability, tracked as CVE-2026-41940, is being actively exploited in the wild, resulting in the compromise of over 40,000 cPanel servers. This flaw allows unauthenticated attackers to gain administrative access to the hosting control panel, effectively handing over full control of the underlying web server and potentially the hosting infrastructure. Given the widespread use of cPanel in shared hosting environments, the blast radius of this campaign is significant.

Defenders must assume breach and immediately hunt for indicators of compromise (IOCs) while applying vendor-supplied patches. This post provides the technical breakdown, detection logic (Sigma, KQL, VQL), and hardening steps required to contain this threat.

Technical Analysis

  • Affected Products: cPanel & WHM software versions prior to the latest security patch (builds 11.124.0.5 and 118.0.45.1 are confirmed vulnerable; verify specifics against official advisories).
  • Platform: Linux distributions commonly used for web hosting (AlmaLinux, CloudLinux, CentOS).
  • CVE Identifier: CVE-2026-41940
  • CVSS Score: 9.8 (Critical) — Estimated based on impact description.
  • Vulnerability Type: Authentication Bypass / Remote Code Execution (RCE).

How the Attack Works The vulnerability resides in the web interface handling components of cPanel/WHM. Due to an insufficient validation of user-supplied input in a specific API endpoint or administrative script, an attacker can craft a malicious HTTP request.

  1. Initial Exploit: The attacker sends a specially crafted request to the target server (typically ports 2083 for cPanel or 2087 for WHM).
  2. Privilege Escalation: The request bypasses standard authentication checks, effectively treating the attacker as the root or reseller user.
  3. Payload Execution: With administrative access, the attacker leverages cPanel's native backend tools (e.g., api-cli, pkgacct) or spawns a shell to execute arbitrary commands.
  4. Persistence: Attackers often create new system users, modify SSH keys, or inject malicious webshells into hosted websites to maintain access even if the cPanel vulnerability is patched.

Exploitation Status

  • Status: Confirmed Active Exploitation.
  • Scope: Over 40,000 servers compromised globally.
  • CISA KEV: Likely to be added imminently given the scale; treat as emergency patching.

Detection & Response

Sigma Rules

The following Sigma rules focus on the behavioral anomalies observed during exploitation: the spawning of shell processes by the cPanel service daemon (cpsrvd) or the web server (httpd), and the suspicious creation of administrative accounts.

YAML
---
title: cPanel cpsrvd Spawning Shell
id: 8a2b3c4d-5e6f-4a5b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects cPanel service daemon (cpsrvd) spawning a shell, indicative of RCE or administrative abuse.
references:
  - https://securityweek.com/over-40000-servers-compromised-in-ongoing-cpanel-exploitation/
author: Security Arsenal
date: 2026/01/15
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith: '/usr/local/cpanel/cpsrvd'
    Image|endswith:
      - '/bin/sh'
      - '/bin/bash'
      - '/bin/zsh'
  condition: selection
falsepositives:
  - Legitimate administrative scripts run by admins via WHM
level: high
---
title: Suspicious cPanel User Database Modification
id: 9c3d4e5f-6a7b-5c6d-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects direct modification of cPanel user databases or shadow files via unexpected processes.
references:
  - https://docs.cpanel.net/
author: Security Arsenal
date: 2026/01/15
tags:
  - attack.persistence
  - attack.t1098
logsource:
  category: file_change
  product: linux
detection:
  selection:
    TargetFilename|contains:
      - '/var/cpanel/users/'
      - '/etc/shadow'
  filter_legit:
    Image|endswith:
      - '/usr/local/cpanel/bin/uapi'
      - '/usr/local/cpanel/bin/whmapi1'
      - '/usr/sbin/useradd'
  condition: selection and not filter_legit
falsepositives:
  - Unknown, requires tuning for local management tools
level: high

KQL (Microsoft Sentinel / Defender)

This query hunts for processes spawned by cpsrvd that are not part of the standard whitelist. Ensure you are ingesting Linux Syslog or DeviceProcessEvents via Microsoft Defender for Endpoint.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName == "cpsrvd"
| where FileName !in ("perl", "php", "python", "uapi", "whmapi1")
| extend FileName = tostring(split(FileName, "/")[-1])
| where FileName in~ ("sh", "bash", "zsh", "curl", "wget", "nc", "chmod", "chown")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for suspicious child processes of the cPanel daemon and checks for recently modified files in the cPanel user directory.

VQL — Velociraptor
-- Hunt for suspicious cpsrvd child processes
SELECT Pid, Ppid, Name, Exe, CommandLine, Username
FROM pslist()
WHERE Ppid IN (SELECT Pid FROM pslist() WHERE Name = "cpsrvd")
  AND Name IN ("sh", "bash", "dash", "zsh", "perl", "python")

-- Check for recently modified cPanel user configs (Persistence)
SELECT FullPath, Mtime, Mode, Size
FROM glob(globs="/var/cpanel/users/*")
WHERE Mtime < now() - AND Mtime > now() - 24h

Remediation Script (Bash)

Run this script on your cPanel servers to verify the patch status and restart essential services. Ensure you have a backup before running.

Bash / Shell
#!/bin/bash

# Check cPanel version and current patch level
echo "Checking cPanel version..."
/usr/local/cpanel/cpanel -V

# Check for specific updates related to CVE-2026-41940
# Note: Replace TARGET_VERSION with the specific secure version provided by cPanel advisory
echo "Checking for update availability..."
/usr/local/cpanel/scripts/upcp --force

# Restart cPanel services to ensure any running memory-only exploits are cleared
echo "Restarting cPanel services..."
/usr/local/cpanel/scripts/restartsrv_cpsrvd
/usr/local/cpanel/scripts/restartsrv_httpd

# Audit for recently added system users (Potential persistence)
echo "Auditing recent system users..."
awk -F: '$3 >= 1000 {print $1" "$3" "$7}' /etc/passwd

echo "Remediation checks complete. Please manually verify /var/cpanel/users for unauthorized accounts."

Remediation

  1. Immediate Patching: Update to the latest stable release of cPanel & WHM immediately. cPanel has released patches for versions 11.124 (Tier 1) and 118.0 (Long Term Support).
    • Command: /usr/local/cpanel/scripts/upcp --force
  2. Credential Reset: Assume all passwords and API tokens for root, reseller, and cpanel users on affected systems are compromised. Force a password rotation for all hosting accounts.
  3. Audit User Accounts: Review /var/cpanel/users/ for any recently created files that do not correspond to legitimate customers. Check for users with owner: root that shouldn't be.
  4. Webshell Hunt: Scan all web roots (/home/*/public_html) for recently modified PHP, Perl, or Python files. Look for common obfuscation patterns (base64_decode, eval, gzinflate).
  5. Restrict Access: Ensure WHM (port 2087) and cPanel (2083) interfaces are not exposed directly to the internet if possible, or restrict access via firewall (iptables/csf) to trusted management IP ranges.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosurecpanelcve-2026-41940linux

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action