CVE-2026-41940 is a critical pre-authentication flaw rooted in how cPanel’s Session.pm module handles HTTP Authorization headers during login.
The vulnerability stems from the saveSession() function writing session data to disk before calling filter_sessiondata() for sanitization — meaning CRLF characters embedded in a Basic authorization header are written verbatim into the on-disk session file.
An attacker can inject fields such as user=root, hasroot=1, and tfa_verified=1 directly into the session file, effectively forging a fully authenticated root WHM session without any valid credentials.
The flaw carries a CVSS score of 9.8 (Critical) and affects all cPanel & WHM versions after 11.40, as well as WP Squared (WordPress Squared) v136.1.7. cPanel disclosed the issue on April 28, 2026, and issued emergency patches the same day, but exploitation was already actively underway.
Released publicly on GitHub by security researcher Mitsec (@ynsmroztas), cPanelSniper automates exploitation through a precise four-stage attack chain:
whostmgrsession cookieAuthorization: Basic header, causing cpsrvd to write poisoned session fields to diskdo_token_denied gadget via /scripts2/listaccts, flushing raw session data into the cache and activating the injected fields/json-api/version, returning HTTP 200 and confirming a “PWNED” stateThe tool requires no external dependencies; it is pure Python 3.8+ stdlib and supports bulk scanning, pipeline integration with tools like Subfinder and Shodan, interactive WHM shell access, and post-exploitation actions including command execution, account enumeration, and backdoor admin creation.
The Shadowserver Foundation confirmed on April 30, 2026, that 44,000 unique IP addresses were observed scanning for victims, launching exploits, or conducting brute-force attacks against their honeypot sensors.
Exploitation activity has been traced back to at least February 23, 2026, indicating that attackers were exploiting this zero-day roughly two months before any patch existed. Attack outcomes include ransomware deployment, website defacements, and botnet recruitment.
The scale of exposure is alarming: approximately 650,000 cPanel/WHM instances remain internet-facing, with roughly 1.5 million potentially vulnerable instances identified via Shodan.
CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog on May 1, 2026.
cPanel rolled out emergency patches across all active branches:
| Branch | Vulnerable ≤ | Patched Version |
|---|---|---|
| 110.x | 11.110.0.96 | 11.110.0.97 |
| 118.x | 11.118.0.62 | 11.118.0.63 |
| 126.x | 11.126.0.53 | 11.126.0.54 |
| 132.x | 11.132.0.28 | 11.132.0.29 |
| 134.x | 11.134.0.19 | 11.134.0.20 |
| 136.x | 11.136.0.4 | 11.136.0.5 |
Administrators should immediately update via /scripts/upcp --force, restart the cpsrvd and cpdavd services, and block inbound traffic on cPanel ports 2083, 2087, 2095, and 2096 at the firewall.
Security teams should audit session directories for suspicious session files containing injected fields and rotate all administrative credentials as a precaution.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post cPanelSniper – PoC Exploit Disclosed for cPanel Vulnerability, 44,000 Servers Compromised appeared first on Cyber Security News.
A weaponized proof-of-concept exploit framework, cPanelSniper, has been publicly released to exploit a critical vulnerability…
Susan Stevens sat cross-legged in front of the crowd, a pride flag tucked into one…
Wyatt Porter-Brown knows a thing or two about trees. A skilled tree climber, he worked…
Despite announcements that the redevelopment of Steeplegate Mall was back on the books, the owners…
INDIANAPOLIS, Ind. (WOWO) — A previously deported illegal alien, who was on the run for…
A U.S. appeals court has blocked one of the main methods of obtaining abortion medication…
This website uses cookies.