Question 1

What exactly is the CVE-2026-41940 cPanel authentication bypass vulnerability?

Accepted Answer

CVE-2026-41940 is a critical CVSS 9.8 vulnerability in cPanel & WHM caused by a CRLF injection flaw in the cpsrvd session daemon. Unauthenticated remote attackers can inject session file properties including user=root and tfa_verified=1 to gain full administrative root access to the server without any credentials or 2FA codes. All cPanel & WHM versions above 11.40 are affected.

Question 2

Was CVE-2026-41940 actively exploited before the patch was available?

Accepted Answer

Yes. Confirmed active exploitation began as early as February 23, 2026 approximately 64 days before the public disclosure and patch release on April 28, 2026. Sophisticated threat actors, including those targeting government and military entities in Southeast Asia and MSPs globally, exploited this as a zero-day for over two months.

Question 3

Does enabling 2FA on WHM protect against this attack?

Accepted Answer

No. The exploit specifically bypasses 2FA by injecting the tfa_verified=1 directive directly into the session file. Two-Factor Authentication provides zero protection against CVE-2026-41940. The only remediation is patching to a fixed cPanel & WHM version.

Question 4

How do I know if my server was compromised during the zero-day window?

Accepted Answer

Audit the raw session file directory at /var/cpanel/sessions/raw/ for session files containing user=root or hasroot=1 that do not correspond to legitimate administrative logins. Run cPanel's official detection script: /usr/local/cpanel/scripts/detect_cve_2026_41940. For independent forensic validation, contact Femto Security Penetration Testing.

Question 5

What is the connection between Sorry ransomware and cPanel attacks?

Accepted Answer

Threat actors exploiting CVE-2026-41940 have been observed deploying the "Sorry" ransomware family against compromised web hosting servers. Because WHM root access grants control over an entire server including all hosted accounts, databases, and files these ransomware attacks can be catastrophic in scale, particularly for MSPs and hosting providers serving multiple clients.

Question 6

Are UAE and GCC organisations specifically at risk?

Accepted Answer

Yes. GCC hosting providers, MSPs, government entities, and VARA-licensed Virtual Asset Service Providers all operate cPanel-based infrastructure and face both technical risks of exploitation and regulatory risks of compliance failure if they do not respond promptly to a CVSS 9.8 zero-day. Femto Security vCISO for VARA Compliance service supports regulated entities in documenting and demonstrating their response.

Question 7

How can Femto Security help my organisation respond to CVE-2026-41940?

Accepted Answer

Femto Security offers emergency vulnerability assessments, compromise investigations, post-patch penetration testing for validation, continuous attack surface management, and dark web monitoring to detect whether your infrastructure access has already been listed for sale. Contact our team for a prioritised response plan tailored to your environment and regulatory context.

cPanel Authentication Bypass Vulnerability CVE-2026-41940

cPanel Authentication Bypass Vulnerability CVE-2026-41940