Hackers Abuse CVE-2026-41940 to Take Over cPanel and WHM Servers

    Wednesday, May 13, 2026 In: Threat Research Print

    Date: 05/13/2026

    Severity: Critical

    Summary

    CVE-2026-41940 is a severe authentication bypass flaw (CVSS score: 9.8) impacting cPanel and WHM. The vulnerability allows remote attackers to circumvent the authentication mechanism and obtain unauthorized access without requiring legitimate credentials. Exploitation of this issue may result in complete compromise of hosted websites, exposure of sensitive information, and control over the affected server infrastructure. A highly critical authentication bypass vulnerability is currently impacting cPanel and WebHost Manager (WHM) deployments globally. Identified as CVE-2026-41940 and rated with a near-maximum CVSS score of 9.8, the flaw effectively enables threat actors to gain unrestricted access to affected systems, significantly increasing the risk of widespread server compromise.

    Indicators of Compromise (IOC) List

    Domains/URLs :

    cp.dene.de.com

    wrned.com

    wpsock.com

    Hash : 

    a5323082ce3f92e02400ddb64aef2023cccb9d440bd35015647af8063cf79c34

    14f0e31c641eb3ead74bf6470802fb1dd6d0258730d8093f7950161c58dabc5a

    5d4a368127f3bd56dbed5cb6a5b8963c637d0b0639788c84c89d8bf40fbc6ba2

    e1a68307f4487a95bd6ffe7798f9142c5e176cdf7a045960fdee9b2af3365771

    7c5e11016eb561278234bbc3d90b327ba50a7991644946539cd5bc80e9de198c

    c383447a427598201d78ca9141866c5d1e704b2d9799fdca903c2c63a2f09229

    deacd520cc935d91d71fb78bb2e93e88bac15876b1804219f9dd7ea53fca401d

    cf19733fa2c1d876cfd7b22d38c824d6fdb70326b2d6e264d44da72a1f30f98f

    9b35d7a4ac1192ec229463621c7aa4d7089147dc335bfd39fb0743c69dd34234

    923d12388aa13b88649da20ffb54dd49adc58e5dae5db1b3c65c342492ca5ffe

    498a484463e325452c2d35e70bdcc08ad8ec7974e2f234f9f328a4694014c80f

    d0a0066c0ea0c83572afa85949b3b2d3ee3f265ed858fa635072363e56e10ea4  

    b40de809f90af564a0a0d35141d6eab19b631c26fb0c39647fe34bb3a9cb0f80

    8c8e5f0fef17de39787e2b6feec0460e6b0d1bf270f869cd677380b1593727bb

    7cfa658072ed6318d49c01d8c74f0650a6c798d6dce86d18a6615bdc69c0a765

    0c00c9754e72146b5312e42b5a78b3ca204678bb

    d10fbb8d63bd35d2dee9eed5a9301b260c81ef10

    d5c7128cea24ef10807a4af449ab7f8f6cbed9c9

    a2eace24bc93462de7fe52a995e85fd67d2a26c5

    4a7b2898a6cfa4adac8ed4af850da3031824fe0b

    1c91d2c7f2e9e0634ac9843b1efa255e25b597dd

    5ce71c36e861230f71ab913bcd6c2062707728d2

    488485c28c356c38777f3a74f840163539c648c3

    261f6af1f97f6224d9e3d736da4b9ccc1e132e93

    9a2482171d37452501c8837aae5d310ac1dcad24

    707bfa3a7b72e9135050c8cb7573d826cd175e99

    f2269d2b42b748264fab8e395d847ccf927e6b0c

    fe4d211e88bc9d1e46609536b32379f6b4b349a2

    3b9d20b69b6f3b1775153b476c46fc4d369acf76

    2ab393c0041d272a1315c3bc27c40d2be80e91d7

    77918bb97659f2909814944c3baa2486

    e22865b75a197c38cb499d1fba721d79

    53cf689484acee70f941e74cacbd863b

    3e9a03374236c917e9a74d1e8035a2ea

    3398e517c5efcbda5484f2b2ec280f46

    eb5501effabe3c9b7e66dd4dd2ee04cc

    07d5b16a9163d34590d944a60a51aaa6

    0b3b865374abe69f3de3f733f39b78fb

    66aa609cfa85f5ea64a7896064554935

    3c91a5ea7dc98a8283f07952f2aed5ff

    8bde36c90c3dfbe7ac09eb5d3e701551

    63c97564bd2ffeae6c11f7783ced701e

    347b83a952d0336a021ffe91d6bded5b

    fff27e9fbb4b9cad8b9ad7b1a3aa8cd6

    5e9da7abbf034024161b987d10bb1193

    fb1bc3f935fdeb3555465070ba2db33c

    9305b4ebbb4d39907cf36b62989a6af3

    2286f126ab4740ccf2595ad1fa0c615c

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "wpsock.com" or url like "wpsock.com" or siteurl like "wpsock.com" or domainname like "wrned.com" or url like "wrned.com" or siteurl like "wrned.com" or domainname like "cp.dene.de.com" or url like "cp.dene.de.com" or siteurl like "cp.dene.de.com"

    Detection Query 2 :

    md5hash IN ("07d5b16a9163d34590d944a60a51aaa6","3c91a5ea7dc98a8283f07952f2aed5ff","2286f126ab4740ccf2595ad1fa0c615c","3398e517c5efcbda5484f2b2ec280f46","fff27e9fbb4b9cad8b9ad7b1a3aa8cd6","3e9a03374236c917e9a74d1e8035a2ea","fb1bc3f935fdeb3555465070ba2db33c","e22865b75a197c38cb499d1fba721d79","63c97564bd2ffeae6c11f7783ced701e","9305b4ebbb4d39907cf36b62989a6af3","347b83a952d0336a021ffe91d6bded5b","53cf689484acee70f941e74cacbd863b","eb5501effabe3c9b7e66dd4dd2ee04cc","0b3b865374abe69f3de3f733f39b78fb","8bde36c90c3dfbe7ac09eb5d3e701551","66aa609cfa85f5ea64a7896064554935","5e9da7abbf034024161b987d10bb1193","77918bb97659f2909814944c3baa2486")

    Detection Query 3 :

    sha1hash IN ("a2eace24bc93462de7fe52a995e85fd67d2a26c5","5ce71c36e861230f71ab913bcd6c2062707728d2","707bfa3a7b72e9135050c8cb7573d826cd175e99","d10fbb8d63bd35d2dee9eed5a9301b260c81ef10","fe4d211e88bc9d1e46609536b32379f6b4b349a2","2ab393c0041d272a1315c3bc27c40d2be80e91d7","3b9d20b69b6f3b1775153b476c46fc4d369acf76","f2269d2b42b748264fab8e395d847ccf927e6b0c","d5c7128cea24ef10807a4af449ab7f8f6cbed9c9","488485c28c356c38777f3a74f840163539c648c3","261f6af1f97f6224d9e3d736da4b9ccc1e132e93","1c91d2c7f2e9e0634ac9843b1efa255e25b597dd","4a7b2898a6cfa4adac8ed4af850da3031824fe0b","0c00c9754e72146b5312e42b5a78b3ca204678bb","9a2482171d37452501c8837aae5d310ac1dcad24")

    Detection Query 4 :

    sha256hash IN ("7c5e11016eb561278234bbc3d90b327ba50a7991644946539cd5bc80e9de198c","b40de809f90af564a0a0d35141d6eab19b631c26fb0c39647fe34bb3a9cb0f80","9b35d7a4ac1192ec229463621c7aa4d7089147dc335bfd39fb0743c69dd34234","8c8e5f0fef17de39787e2b6feec0460e6b0d1bf270f869cd677380b1593727bb","deacd520cc935d91d71fb78bb2e93e88bac15876b1804219f9dd7ea53fca401d","7cfa658072ed6318d49c01d8c74f0650a6c798d6dce86d18a6615bdc69c0a765","5d4a368127f3bd56dbed5cb6a5b8963c637d0b0639788c84c89d8bf40fbc6ba2","cf19733fa2c1d876cfd7b22d38c824d6fdb70326b2d6e264d44da72a1f30f98f","923d12388aa13b88649da20ffb54dd49adc58e5dae5db1b3c65c342492ca5ffe","498a484463e325452c2d35e70bdcc08ad8ec7974e2f234f9f328a4694014c80f","e1a68307f4487a95bd6ffe7798f9142c5e176cdf7a045960fdee9b2af3365771","14f0e31c641eb3ead74bf6470802fb1dd6d0258730d8093f7950161c58dabc5a","c383447a427598201d78ca9141866c5d1e704b2d9799fdca903c2c63a2f09229","a5323082ce3f92e02400ddb64aef2023cccb9d440bd35015647af8063cf79c34","d0a0066c0ea0c83572afa85949b3b2d3ee3f265ed858fa635072363e56e10ea4")

    Reference:    

    https://cybersecuritynews.com/hackers-abuse-cpanel-and-whm-servers/


    Tags

    VulnerabilityCVE-2026Exploit

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.