Patch CVE-2026-41940. Close the proxy-subdomain backdoor. Get your server quiet again — with a fixed-price, documented incident response from a team that's delivered 1,500+ projects across 20 years.
17,700+ cPanel servers were exposed when CVE-2026-41940 dropped on April 28, 2026. If yours is showing token_denied errors, your monitoring is firing alerts you can't explain, or something feels off when you log in to WHM, you may have been hit by CVE-2026-41940 — the critical cPanel/WHM authentication bypass (CVSS 9.8) actively exploited in the wild — or a related session-manipulation exploit chain. Aisling's incident response team patches the vulnerability, removes attacker persistence, hardens the proxy-subdomain attack surface, and delivers a written report on every engagement.
A compromised hosting server quickly leads to blacklisted domains, stolen client data, regulatory exposure, and repeated reinfection. Move fast — every hour matters.
token_denied errors in cPanel or WHM/var/cpanel/sessions/raw/We clean the active compromise, remove known persistence, patch cPanel/WHM, and harden the server so it stays patched and quiet.
/var/cpanel/sessions/raw/ (CRLF-injected sessions)whm.*, webmail.*, cpanel.* Apache rewrites)authorized_keys reviewWe check the server for known exploit indicators: suspicious session files, recent logins, persistence mechanisms, vulnerable versions.
We identify attacker IPs, exposed services, and immediate reinfection risks, and contain where safe before full cleanup.
We remove malicious session files, inspect persistence locations, sweep for backdoors, and review cron jobs and SSH keys.
We update cPanel/WHM, tune cPHulk, restrict WHM/SSH access, and review firewall rules.
We re-run checks, confirm indicators are clear, and deliver a written report with prioritized next steps.
Aisling has supported regulated clients for over two decades. Every action we take during a cPanel/WHM incident is timestamped and documented to support the frameworks your auditors will ask about.
Operating in a regulated vertical? Ask about our compliance-grade engagement option.
Deleting the visible session files is rarely enough — especially with CVE-2026-41940. The exploit chain abuses CRLF injection to manipulate raw session files, then promotes the manipulated session to gain root access through WHM. Cleanup that misses any of these gaps gets reinfected:
Our goal isn't to remove the obvious files. It's to patch the underlying vulnerability, audit the session cache, review the proxy-subdomain attack surface that exposes WHM even when ports 2086/2087 are firewalled, and harden the rest.
For one server with a confirmed or suspected session-injection issue.
For active compromises, ongoing spam abuse, or business-impacting downtime.
Hosting providers, agencies, or servers with many cPanel accounts and repeated reinfection.
Weekly or monthly monitoring designed for cPanel/WHM environments.
You keep your cPanel license, hosting billing login, payment provider, and unrelated personal accounts to yourself — those stay out of scope.
"Aisling has been an outstanding partner. Their team is professional, knowledgeable and customer-service driven."John LabkinsPartner & CEO, Telecommunications
"I've been a customer for more than a decade. If there's an issue, they step in immediately."Daniel LegranteCIO, Restaurant Product Supplier
5.0 average across 31 verified reviews · Microsoft, AWS, Google Cloud, and Salesforce partner
If your cPanel/WHM build is older than the patched versions released on April 28, 2026 (11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, 11.136.0.5; WP Squared 136.1.7), yes. The vulnerability affects all cPanel/WHM versions after 11.40 and is exploitable over the public network with no authentication. Even if WHM ports 2086/2087 are firewalled, the proxy-subdomain rewrites used by default cPanel installs (whm.example.com, webmail.example.com) expose the vulnerable login flow through the public web. We verify the patch level and the proxy-subdomain attack surface as the first step of every engagement.
token_denied cPanel issue?Yes — when caused by malicious or injected session files. We remove the affected files, patch cPanel/WHM, and check for related compromise indicators.
Yes. Patching is a critical part of cleanup. Removing malicious files without patching leads to reinfection.
Yes. Proper cleanup and verification require root-level access. WHM access is helpful, but SSH is usually required for a complete incident response.
Patching the underlying vulnerability (CVE-2026-41940 and any others discovered during triage), closing the proxy-subdomain attack surface, rotating every credential, tuning cPHulk and CSF to detect repeat probes, and giving you a checklist of what to monitor going forward. No honest security firm guarantees the future — what we deliver is a patched, hardened, documented server that is dramatically harder to reinfect through the same path.
Yes, strongly recommended. We can help you create one before cleanup begins if you don't already have one.
Yes — plus LiteSpeed, Apache, Exim, and standard WHM stacks.
Yes. Engagements are billed in EUR or USD; invoicing supports VAT and US W-9.
If your server is showing token_denied, suspicious session files, spam abuse, or signs of compromise, message our incident response team for an emergency diagnostic.
In your message, include: server symptoms · WHM/cPanel version (if known) · number of hosted accounts · whether the server is actively sending spam or offline · your preferred response time.