{“lastseen”:”2026-04-30T18:06:32″,”description”:”## What is CVE-2026-41940?\\n\\nCVE-2026-41940 is a critical authentication bypass vulnerability affecting cPanel \\u0026 WHM, including DNSOnly, in versions after 11.40. The flaw, discovered by WatchTowr Labs, exists in the login flow and allows unauthenticated remote attackers to gain unauthorized access to the control panel. The vulnerability carries a CVSS 3.1 score of 9.8 and is classified under CWE-306: Missing Authentication for Critical Function.\\n\\ncPanel \\u0026 WHM is widely used to manage web hosting environments. WHM provides administrative access to hosting infrastructure, while cPanel gives individual account holders control over their hosted sites. Because this vulnerability affects the authentication layer of a management interface, successful exploitation could give attackers access to high-value administrative functions across hosting environments. The issue affects all currently supported versions of cPanel \\u0026 WHM, and the flaw is tied to session loading and saving behavior.\\n\\ncPanel has released patched versions and recommends immediate updates. Administrators should update a fixed version, verify the cPanel build, and restart the cPanel service. For environments that cannot immediately patch, cPanel recommends blocking inbound traffic on ports 2083, 2087, 2095, and 2096 or temporarily stopping affected services.\\n\\n_Imperva customers are protected out-of-the-box against CVE-2026-41940._\\n\\n## Observations from Our Data\\n\\nSince the release of CVE-2026-41940, Imperva has observed nearly 4,000 attack requests targeting customer environments.\\n\\nOur data shows:\\n\\n * Attacks targeting sites across **15 distinct industries** and **17 countries** , indicating broad scanning and opportunistic exploitation rather than activity concentrated against a single vertical or geography.\\n * **US-based sites accounted for almost 70% of observed attacks** , followed by **Barbados** and **Israel.** The heavy concentration against US sites suggests attackers are prioritizing regions with large hosting and web infrastructure footprints, while the presence of smaller geographies indicates automated discovery across exposed internet-facing assets.\\n\\n\\n\\n * The most frequently targeted industries were **Business** , **Society** , and **Education**. This distribution reflects the broad deployment of hosting control panels across organizations that maintain public-facing websites, portals, and distributed web infrastructure.\\n\\n\\n\\nWhile observed volume remains limited compared to mass exploitation campaigns, the spread across industries and countries shows active probing for exposed cPanel and WHM instances. Given the vulnerability\u2019s unauthenticated nature and impact on administrative access, even moderate request volumes warrant urgent attention, and attack volumes will likely grow.\\n\\n### **Mitigation and Protection**\\n\\nThe definitive remediation for CVE-2026-41940 is to update cPanel \\u0026 WHM to a patched version immediately. Organizations should also review cPanel\u2019s detection guidance, inspect session files for indicators of compromise, and audit WHM access logs for unauthorized activity. cPanel\u2019s advisory specifically recommends purging affected sessions, forcing password resets for root and WHM users, and checking for persistence mechanisms if indicators of compromise are found.\\n\\nImperva customers using Cloud WAF and WAF Gateway are protected against exploitation techniques associated with CVE-2026-41940. Imperva\u2019s web application firewall inspects HTTP traffic for malicious patterns, helping block attempts to abuse authentication workflows and session-handling behavior before they reach vulnerable systems.\\n\\n_For customers with Cloud WAF, protection is automatically applied. Customers with WAF Gateway should refer to the manual mitigation guide sent by Imperva support teams and provided in the Imperva Community Guide._\\n\\n### **Conclusion**\\n\\nCVE-2026-41940 represents a critical risk for organizations running exposed cPanel \\u0026 WHM infrastructure. Its combination of unauthenticated access, low attack complexity, and potential administrative impact makes it a high-priority vulnerability for patching, monitoring, and incident review.\\n\\nImperva customers are protected against exploitation attempts associated with this vulnerability through Imperva\u2019s web application firewall protections and HTTP traffic inspection capabilities. Organizations running cPanel \\u0026 WHM should still apply vendor patches immediately, validate their deployed versions, and review available logs and session artifacts for signs of compromise.\\n\\nThe post Imperva Customers Protected Against CVE-2026-41940 in cPanel \\u0026 WHM appeared first on Blog.”,”published”:”2026-04-30T17:38:05″,”modified”:”2026-04-30T17:38:05″,”type”:”impervablog”,”title”:”Imperva Customers Protected Against CVE-2026-41940 in cPanel \\u0026 WHM”,”source”:””,”references”:””,”id”:”IMPERVABLOG:25429CC254B83B38F3B54A8A8A6FB72E”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[“CVE-2026-41940″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.imperva.com\/blog\/imperva-customers-protected-against-cve-2026-41940-in-cpanel-whm\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-30T18:06:32″,”description”:”## What is CVE-2026-41940?\\n\\nCVE-2026-41940 is a critical authentication bypass vulnerability affecting cPanel \\u0026 WHM, including DNSOnly, in versions after 11.40. The flaw, discovered by WatchTowr…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,35,12,59,13,7,11,5],"class_list":["post-50499","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-impervablog","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n