Concise Cyber

Subscribe below for free to get these delivered straight to your inbox

Advertisements
cPanelSniper PoC Released for Critical cPanel CVE-2026-41940 as 44,000 Servers Face Ongoing Attacks
Advertisements

A weaponized proof-of-concept exploit framework called cPanelSniper has been publicly released for CVE-2026-41940, a maximum-severity authentication bypass affecting cPanel & WHM. According to the source report, the issue has already been tied to widespread compromise, with tens of thousands of servers affected and attack activity observed as early as late February 2026.

The vulnerability carries a CVSS score of 9.8 and impacts all cPanel & WHM versions after 11.40, as well as WP Squared (WordPress Squared) v136.1.7. cPanel disclosed the flaw on April 28, 2026 and released emergency patches the same day, but exploitation was already underway before the fix was available.

How CVE-2026-41940 works

The source says the root cause is in cPanel’s Session.pm module and how it handles HTTP Authorization headers during login. Specifically, the problem is rooted in the saveSession() function writing session data to disk before filter_sessiondata() sanitizes it. As a result, CRLF characters embedded in a Basic authorization header are written verbatim into the on-disk session file.

That behavior allows an attacker to inject fields such as user=root, hasroot=1, and tfa_verified=1 into the session file. In effect, this can forge a fully authenticated root WHM session without valid credentials.

What cPanelSniper does

Security researcher Mitsec (@ynsmroztas) publicly released cPanelSniper on GitHub. The framework automates exploitation through a four-stage chain designed to turn the vulnerability into root access on WHM.

  • Stage 1: Mints a pre-auth WHM session using intentionally invalid credentials and obtains a whostmgrsession cookie.
  • Stage 2: Sends a crafted Authorization: Basic header with a CRLF payload that causes cpsrvd to write poisoned session fields to disk.
  • Stage 3: Triggers the internal do_token_denied gadget via /scripts2/listaccts, flushing raw session data into the cache and activating the injected fields.
  • Stage 4: Verifies WHM root access by querying /json-api/version, which returns HTTP 200 and confirms a “PWNED” state.

The tool is described as a pure Python 3.8+ utility that uses only the standard library. It also supports bulk scanning, pipeline integration with tools such as Subfinder and Shodan, interactive WHM shell access, and post-exploitation actions including command execution, account enumeration, and backdoor admin creation.

Observed impact and exposure

The Shadowserver Foundation reported on April 30, 2026 that 44,000 unique IP addresses were seen scanning for victims, launching exploits, or conducting brute-force attacks against honeypot sensors. Shadowserver also warned that CVE-2026-41940 attacks were ongoing and that the large IP count likely represented compromised systems involved in the activity.

The report says exploitation has been traced back to at least February 23, 2026, suggesting attackers used the flaw roughly two months before any patch existed. Reported outcomes include ransomware deployment, website defacements, and botnet recruitment.

Exposure remains substantial. The source states that around 650,000 cPanel/WHM instances are internet-facing, while approximately 1.5 million potentially vulnerable instances have been identified via Shodan.

Mitigation steps for administrators

CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog on May 1, 2026. cPanel has issued emergency patches across all active branches, and administrators are urged to update immediately.

The patched versions listed in the source are:

  • 110.x: 11.110.0.97
  • 118.x: 11.118.0.63
  • 126.x: 11.126.0.54
  • 132.x: 11.132.0.29
  • 134.x: 11.134.0.20
  • 136.x: 11.136.0.5

Recommended actions include running /scripts/upcp --force, restarting the cpsrvd and cpdavd services, and blocking inbound traffic on cPanel ports 2083, 2087, 2095, and 2096 at the firewall. Security teams are also advised to audit session directories for suspicious files containing injected fields and rotate administrative credentials as a precaution.

Conclusion

The public release of cPanelSniper adds more urgency to an already active incident involving CVE-2026-41940. With exploitation ongoing, emergency patches available, and large numbers of exposed systems still online, administrators should treat this as a high-priority response item.

All articles are written here with the help of AI on the basis of openly available information which cannot be independently verified. We do strive to quote the relevant sources.The intent is only to summarise what is already reported in public forum in our own wordswith no intention to plagarise or copy other person’s work.The publisher has no intent to defame or cause offence to anyone, any person or any organisation at any moment.The publisher assumes no responsibility for any damage or loss caused by making decisions on the basis of whatever is published on cyberconcise.com.You’re advised to do your own checks and balances before making any decision, and owners and publishers at cyberconcise.com cannot be held accountable for its resulting ramifications.If you have any objections, concerns or point out anything factually incorrect, please reach out using the form on https://concisecyber.com/about/

Discover more from Concise Cyber

Subscribe now to keep reading and get access to the full archive.

Continue reading