By rssfeeds-admin CVE-2026-41940 is a critical pre-authentication flaw rooted in how cPanel’s Session.pm module handles HTTP Authorization headers during login.
The vulnerability stems from the saveSession() function writing session data to disk before calling filter_sessiondata() for sanitization — meaning CRLF characters embedded in a Basic authorization header are written verbatim into the on-disk session file.
An attacker can inject fields such as user=root, hasroot=1, and tfa_verified=1 directly into the session file, effectively forging a fully authenticated root WHM session without any valid credentials.
The flaw carries a CVSS score of 9.8 (Critical) and affects all cPanel & WHM versions after 11.40, as well as WP Squared (WordPress Squared) v136.1.7. cPanel disclosed the issue on April 28, 2026, and issued emergency patches the same day, but exploitation was already actively underway.
cPanelSniper: Four-Stage Exploit Chain
Released publicly on GitHub by security researcher Mitsec (@ynsmroztas), cPanelSniper automates exploitation through a precise four-stage attack chain:
-
Stage 1 — Mints a pre-auth WHM session using intentionally invalid credentials, obtaining a
whostmgrsessioncookie -
Stage 2 — Injects CRLF payload via a crafted
Authorization: Basicheader, causingcpsrvdto write poisoned session fields to disk -
Stage 3 — Triggers the internal
do_token_deniedgadget via/scripts2/listaccts, flushing raw session data into the cache and activating the injected fields -
Stage 4 — Verifies full WHM root access by querying
/json-api/version, returning HTTP 200 and confirming a “PWNED” state
The tool requires no external dependencies; it is pure Python 3.8+ stdlib and supports bulk scanning, pipeline integration with tools like Subfinder and Shodan, interactive WHM shell access, and post-exploitation actions including command execution, account enumeration, and backdoor admin creation.
The Shadowserver Foundation confirmed on April 30, 2026, that 44,000 unique IP addresses were observed scanning for victims, launching exploits, or conducting brute-force attacks against their honeypot sensors.
Exploitation activity has been traced back to at least February 23, 2026, indicating that attackers were exploiting this zero-day roughly two months before any patch existed. Attack outcomes include ransomware deployment, website defacements, and botnet recruitment.
The scale of exposure is alarming: approximately 650,000 cPanel/WHM instances remain internet-facing, with roughly 1.5 million potentially vulnerable instances identified via Shodan.
CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog on May 1, 2026.
Mitigations
cPanel rolled out emergency patches across all active branches:
| Branch | Vulnerable ≤ | Patched Version |
|---|---|---|
| 110.x | 11.110.0.96 | 11.110.0.97 |
| 118.x | 11.118.0.62 | 11.118.0.63 |
| 126.x | 11.126.0.53 | 11.126.0.54 |
| 132.x | 11.132.0.28 | 11.132.0.29 |
| 134.x | 11.134.0.19 | 11.134.0.20 |
| 136.x | 11.136.0.4 | 11.136.0.5 |
Administrators should immediately update via /scripts/upcp --force, restart the cpsrvd and cpdavd services, and block inbound traffic on cPanel ports 2083, 2087, 2095, and 2096 at the firewall.
Security teams should audit session directories for suspicious session files containing injected fields and rotate all administrative credentials as a precaution.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post cPanelSniper – PoC Exploit Disclosed for cPanel Vulnerability, 44,000 Servers Compromised appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.