SCRL

🚨 BREAKING: cPanel and WHM, the control panels behind an estimated 70+ million websites, have a critical security flaw that lets anyone become root admin without a password. CVE-2026-41940 affects every supported version. It’s already being exploited in the wild. watchTowr Labs published the full attack today, after the hosting company KnownHost confirmed the bug was already being used to break into a significant chunk of the internet. If you've never heard of cPanel: it's the dashboard that hosting providers and millions of website owners use to manage their servers, domains, email accounts, databases, and SSL certificates. WHM is the admin version that controls the entire server. If someone gets root access to WHM, they get the keys to the kingdom and to every apartment inside it. How the attack works, in plain English: 🔴 Step 1: The attacker sends a deliberately wrong login. cPanel still creates a temporary "you tried to log in" record on disk and gives the attacker a cookie tied to it. 🔴 Step 2: The attacker tweaks the cookie to disable cPanel's password encryption. Normally cPanel encrypts the password field on disk. With one small change to the cookie, cPanel just stores it as plain text instead. 🔴 Step 3: The attacker sends a fake login attempt where the password field secretly contains hidden line breaks. cPanel does not strip these line breaks out, so they get written straight to the session file. Each line break creates a brand new fake record. The attacker uses this to inject lines that say "this user is root" and "this user already authenticated successfully." 🔴 Step 4: The attacker visits one more random page on the site to nudge cPanel into re-reading the file. cPanel then promotes the injected fake lines into its main session memory. 🔴 Step 5: On the next request, cPanel sees a flag that says "this user already passed the password check." cPanel trusts that flag, skips checking the actual password, and lets the attacker in as root. From start to finish, the attack takes a handful of HTTP requests. If you run cPanel or WHM, the patched versions are: 🔴 cPanel/WHM 110.0.x → 11.110.0.97 🔴 cPanel/WHM 118.0.x → 11.118.0.63 🔴 cPanel/WHM 126.0.x → 11.126.0.54 🔴 cPanel/WHM 132.0.x → 11.132.0.29 🔴 cPanel/WHM 134.0.x → 11.134.0.20 🔴 cPanel/WHM 136.0.x → 11.136.0.5 If your version is older than these, assume someone has already broken in and act accordingly. Patch right now, then rotate every password and key the server touched: root passwords, API tokens, SSL private keys, SSH keys, mail passwords, and database passwords.

Update: the balancer hacker has added console logs onchain. there is also a good probability that the hackers vibe coded the attack or used LLMs. Here's why I think that: >hackers usually never leave console.log in production code. >when console.log does appear on-chain, it’s almost always a mistake. >a mistake like that only happens if the coder forgot to delete debug lines. >forgetting to delete debug lines = copy-pasted straight from an LLM. >LLMs love to add console.log("Step 1") to “help you follow”. >So when the log says garbage like Done with amts1, it’s mostly AI slop.

The GLP pool of GMX V1 on Arbitrum has experienced an exploit. Approximately $40M in tokens has been transferred from the GLP pool to an unknown wallet. Security has always been a core priority for GMX, with the GMX smart contracts undergoing numerous audits from top security specialists. So, in this hands-on-deck moment, all core contributors are investigating how the manipulation occurred, and what vulnerability may have enabled it. Our security partners are also deeply involved, to ensure we gain a thorough understanding of the events that occurred and minimise any associated risks as quickly as possible. Our primary focus is on recovery and pinpointing the root cause of the issue. Actions taken: Trading on GMX V1, and the minting and redeeming of GLP, have been disabled on both Arbitrum and Avalanche to prevent any further attack vectors and protect users from additional negative impacts. Scope of the vulnerability: Please note that the exploit does not affect GMX V2, its markets, or liquidity pools, nor the GMX token itself. Based on the available information, the vulnerability is limited to GMX V1 and its GLP pool. As soon as we have more complete and validated information, a detailed incident report will follow.