In recent days, one of the most critical vulnerabilities in the history of the web hosting industry was disclosed, CVE-2026-41940, in the cPanel and WHM software. With a CVSS score of 9.8 out of 10, the vulnerability was listed as actively exploited by CISA, putting millions of websites worldwide at serious risk. To date, more than 44,000 IP addresses have been scanned and exploited, and there have been multiple reports of affected servers being encrypted by Go-based ransomware (with the extension .sorry).
Gisso Hosting's reaction:
From the moment the news was first published, Gisso Hosting's technical infrastructure manager took action. All cPanel servers were immediately isolated and dangerous ports including 2082, 2083, 2086, 2087, 2095 and 2096 were blocked at the firewall level. The official cPanel detection script was run on all servers, suspicious sessions in the /var/cpanel/sessions/raw/ path were carefully examined and cpsrvd logs were analyzed. As soon as the patch was officially released by cPanel, version 11.136.0.5 was applied to all servers and the cpsrvd service was reset. Finally, a complete audit of SSH keys, cronjobs and API tokens was also performed.
Result
While many large domestic and foreign providers interrupted their customers' services for hours and some witnessed attackers encrypting their users' data, there was not a single sign of intrusion in Gisoo Hosting's infrastructure, no servers were compromised, and no customer data was stolen. This result is the result of our team's speed of action and security-oriented approach.
Technical Description of the Vulnerability
This vulnerability is an Authentication Bypass vulnerability caused by CRLF Injection in the session loading and saving process. Before performing authentication, the cpsrvd service would create a session file on disk and user-controlled input would be written to it via the Authorization header without proper sanitization. By injecting control characters (Carriage Return and Line Feed), the attacker could add lines to the session file that would be parsed as top-level session entries, including user=root, hasroot=1, tfa_verified=1, and an arbitrary cp_security_token. On the next request, the URL token check would pass, the password challenge would be dropped due to the injected timestamp, the 2FA challenge would be ignored, and cpsrvd would execute the command with root privileges. In simple terms, an attacker gains complete control of the server without having a username, password, or two-factor authentication. The public release of the PoC by watchTowr Labs allowed the attack to be widely deployed within hours.
Current Precautions
Although Gisu Hosting's infrastructure is fully patched and secure, to further ensure user security, direct communication between Gisu Hosting's user panel and cPanel has been temporarily disconnected, and direct login to cPanel is currently unavailable. Users who require immediate access can submit a request through the ticketing system; the support team will provide access at the user's own risk after authentication. This restriction is temporary and will be lifted as soon as we are fully confident that the situation is stable across the global cPanel ecosystem.
Final Words
At Gisu Hosting, the security of your data is not a slogan, it is an operational commitment. The difference between an ordinary hosting provider and a professional provider is revealed in these critical moments; when millions of websites in the world are damaged and we are proud to announce that not a single Gisu Hosting user was damaged in this storm.
Wednesday, May 6, 2026
