Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Microsoft Teams macOS Bug Exposes Screen Sharing Content
July 12, 2026
Apple Sues OpenAI and Ex-Staff Over Alleged Trade Secret Theft
July 12, 2026
Ghostcommit Attack Hides Malicious Prompts in Images to Exploit AI Agents
July 11, 2026
Home/CyberSecurity News/Critical cPanel Vulnerability Lets Attackers Compromise 44,000 Servers
CyberSecurity News

Critical cPanel Vulnerability Lets Attackers Compromise 44,000 Servers

Key Takeaways A critical pre-authentication bypass (CVE-2026-41940) in cPanel & WHM allows attackers to forge root sessions. A publicly released exploit framework, “cPanelSniper,”...

Marcus Rodriguez
Marcus Rodriguez
May 2, 2026 4 Min Read
60 0

Key Takeaways

  • A critical pre-authentication bypass (CVE-2026-41940) in cPanel & WHM allows attackers to forge root sessions.
  • A publicly released exploit framework, “cPanelSniper,” automates the compromise of vulnerable servers.
  • Tens of thousands of servers have already been compromised, with exploitation observed since late February 2026.
  • cPanel released emergency patches on April 28, 2026, and immediate updates are strongly recommended.

A severe authentication bypass vulnerability, identified as CVE-2026-41940, has been disclosed in cPanel & WHM, leading to the compromise of tens of thousands of servers globally. A weaponized proof-of-concept (PoC) exploit framework, dubbed “cPanelSniper,” has been made public, automating the exploitation of this critical flaw. Evidence suggests active exploitation of this zero-day vulnerability began as early as late February 2026, approximately two months before cPanel released emergency patches.

Table Of Content

  • Key Takeaways
  • Technical Deep Dive into CVE-2026-41940
  • cPanelSniper: A Four-Stage Attack Chain
  • What You Should Do

The vulnerability, rated with a CVSS score of 9.8 (Critical), resides within the Session.pm module of cPanel, specifically in how it processes HTTP Authorization headers during the login sequence. This flaw affects all cPanel & WHM versions beyond 11.40, as well as WP Squared (WordPress Squared) v136.1.7. cPanel acknowledged the issue and provided patches on April 28, 2026, though exploitation was already widespread.

Technical Deep Dive into CVE-2026-41940

The core of CVE-2026-41940 lies in the saveSession() function, which writes session data to disk prematurely, prior to invoking filter_sessiondata() for sanitization. This critical design flaw enables attackers to embed Carriage Return Line Feed (CRLF) characters directly into a Basic authorization header. When processed, these characters are written verbatim into the on-disk session file.

By injecting specific fields such as user=root, hasroot=1, and tfa_verified=1 into the session file, an attacker can effectively bypass authentication mechanisms. This allows them to forge a fully authenticated root WHM session without needing any valid credentials, granting complete control over the compromised server.

cPanelSniper: A Four-Stage Attack Chain

Security researcher Mitsec (@ynsmroztas) publicly released cPanelSniper on GitHub, a Python 3.8+ tool designed to automate the exploitation of CVE-2026-41940. The framework executes a precise four-stage attack chain:

  • Stage 1 — It initiates a pre-authenticated WHM session using deliberately invalid credentials to acquire a whostmgrsession cookie.
  • Stage 2 — A meticulously crafted Authorization: Basic header containing the CRLF payload is injected, prompting the cpsrvd service to write the manipulated session fields to disk.
  • Stage 3 — The internal do_token_denied gadget is triggered via /scripts2/listaccts, which flushes the raw session data into the cache and activates the injected fields.
  • Stage 4 — Full WHM root access is verified by querying /json-api/version. A successful HTTP 200 response confirms the “PWNED” state, indicating full compromise.

cPanelSniper operates without external dependencies, relying solely on Python 3.8+ standard libraries. Its capabilities include bulk scanning, integration with reconnaissance tools like Subfinder and Shodan, interactive WHM shell access, and a suite of post-exploitation actions, such as command execution, account enumeration, and the creation of backdoor administrative accounts.

The Shadowserver Foundation reported on April 30, 2026, that approximately 44,000 unique IP addresses were observed either scanning for vulnerable targets, launching exploits, or conducting brute-force attacks against their honeypot sensors. This confirms the widespread nature of the exploitation.

Attention! cPanel/WHM CVE-2026-41940 attacks ongoing, with at least 44K IPs likely compromised & seen scanning our honeypots on 2026-04-30. Follow latest guidance to track for compromise & patch: https://t.co/z4sRvdaBwt

See Public Dashboard for stats: https://t.co/qFz265JDIK pic.twitter.com/m1aZvFEVlU

— The Shadowserver Foundation (@Shadowserver) May 1, 2026

The extent of this exposure is significant, with approximately 650,000 cPanel/WHM instances directly accessible from the internet and an estimated 1.5 million potentially vulnerable instances identified via Shodan. Attackers have leveraged this vulnerability for various malicious activities, including ransomware deployment, website defacement, and botnet recruitment. Due to the critical nature and active exploitation, CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog on May 1, 2026.

What You Should Do

cPanel has released emergency patches across all active branches to address CVE-2026-41940. System administrators must prioritize these updates immediately:

  • Update Immediately: Ensure your cPanel & WHM installations are updated to the patched versions. The command /scripts/upcp --force should be executed without delay.
  • Restart Services: After updating, restart the cpsrvd and cpdavd services to ensure the patches are fully applied.
  • Firewall Restrictions: Block inbound traffic on cPanel ports 2083, 2087, 2095, and 2096 at your firewall unless absolutely necessary for legitimate operations.
  • Audit Sessions: Conduct an audit of session directories for any suspicious session files that may contain injected fields, indicating a potential compromise.
  • Rotate Credentials: As a precautionary measure, all administrative credentials for cPanel and WHM should be rotated.
Branch Vulnerable ≤ Patched Version
110.x 11.110.0.96 11.110.0.97
118.x 11.118.0.62 11.118.0.63
126.x 11.126.0.53 11.126.0.54
132.x 11.132.0.28 11.132.0.29
134.x 11.134.0.19 11.134.0.20
136.x 11.136.0.4 11.136.0.5

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchransomwareSecurityVulnerabilityzero-day

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

EtherRAT Campaign Leverages SEO Poisoning and GitHub to Target Enterprise Admins

Next Post

Facebook Phishing Campaign Leverages Google AppSheet, Netlify, Telegram

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
CISA Report Details Lessons Learned From AWS GovCloud Credential Leak
July 11, 2026
281 Android VPN Apps Leak Sensitive Data, Transfer Data Unencrypted
July 11, 2026
Top 10 Unified Threat Management Solutions for 2026
July 11, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us