Due to the severity of the cPanel/WHM vulnerability (CVE-2026-41940), servers may be compromised without requiring valid login credentials, even if Two-Factor Authentication (2FA) is enabled.

This article provides immediate steps to secure and recover your server, along with answers to the most common questions.

TABLE OF CONTENTS

• ⚠️ Immediate Action Required
• Frequently Asked Questions
• Recovery options
• Support limitation
• ⚠️Backup Policy Reminder
• Recommendation

⚠️ Immediate Action Required

If your server is affected or you suspect it has been compromised:

1. Restore a Clean Backup

• Check for:
  • VPS snapshots created before the server was compromised
  • Auto Backup service backups (if enabled)
• Restore a backup from at least 48 hours before the server was compromised

2. Update Immediately After Restoration

After restoring:

• Update cPanel & WHM to the latest version
• Apply all operating system updates

Ensure your version is at least one of the following:

• 11.86.0.41 or higher
• 11.110.0.97 or higher
• 11.118.0.63 or higher
• 11.124.0.35 or higher
• 11.126.0.54 or higher
• 11.130.0.19 or higher
• 11.132.0.29 or higher
• 11.134.0.20 or higher
• 11.136.0.5 or higher

For further details please check the following article published by cPanel: Security: CVE-2026-41940 - cPanel & WHM / WP2 Security Update 04/28/2026. 

3. If You Cannot Update (Outdated Systems)

• Restore a clean backup
• Immediately block inbound traffic on these ports: 2083, 2087, 2095, 2096
• Disable Service Subdomains (see the following article published by cPanel: How to Enable or Disable Service (Proxy) Subdomains)

Frequently Asked Questions

Why can’t I log in (even with 2FA)?

This vulnerability allows attackers to bypass authentication entirely.
If your credentials fail, your server has likely been compromised and access settings changed.

Where are my backups or snapshots?

• Only backups visible in your Customer Control Panel exist.
• Contabo does not store additional backups.

⚠️ Important Notes

• A precautionary snapshot labeled “contabo_cpanel” may be available. This snapshot can be used to restore your system to a previous state if needed. However, it is possible that the server was already compromised when the snapshot was created.
• If no backups are listed:
  • They were not configured, expired, or removed
  • No recovery points exist

My websites are still working. Is my server safe?

No.

Attackers often leave websites and email services running to avoid detection while using the server in the background.

If you cannot access WHM, your server is considered compromised.

Recovery options

Option A: Restore from Backup (If Available)

1. Restore the latest clean backup from your panel
2. ⚠️Critical step*: Immediately log in via SSH and run:

/scripts/upcp --force 

*Without this step, re-infection can occur within minutes.

Option B: Rescue System & Fresh Installation (Safest)

1. Boot into the Rescue System
   (See How Do I Boot a Rescue System For My Server?)
2. Recover any necessary data
3. ⚠️ ️Important: Perform a full OS reinstallation (See How can I reinstall my operating system?)

This is the only reliable way to remove all backdoors and malicious access.

Support limitation

• Contabo provides self-managed infrastructure only
• Support cannot:
  • Access your server
  • Clean compromised systems
  • Perform internal recovery actions

For hands-on assistance, please contact a professional system administrator.

⚠️Backup Policy Reminder:

• Contabo does not create or store backups
• Only backups you configured are available
• If none exist, the only option is a full system reinstallation and manual setup.

Recommendation:

Due to the critical nature of CVE-2026-41940:

• Act immediately
• Prefer full reinstallation if there is any uncertainty
• Do not rely on partial cleanups, as persistent access is likely.