Critical cPanel Vulnerability Lets Attackers Compromise 44,000 Servers
Key Takeaways A critical pre-authentication bypass (CVE-2026-41940) in cPanel & WHM allows attackers to forge root sessions. A publicly released exploit framework, “cPanelSniper,”...
Key Takeaways
- A critical pre-authentication bypass (CVE-2026-41940) in cPanel & WHM allows attackers to forge root sessions.
- A publicly released exploit framework, “cPanelSniper,” automates the compromise of vulnerable servers.
- Tens of thousands of servers have already been compromised, with exploitation observed since late February 2026.
- cPanel released emergency patches on April 28, 2026, and immediate updates are strongly recommended.
A severe authentication bypass vulnerability, identified as CVE-2026-41940, has been disclosed in cPanel & WHM, leading to the compromise of tens of thousands of servers globally. A weaponized proof-of-concept (PoC) exploit framework, dubbed “cPanelSniper,” has been made public, automating the exploitation of this critical flaw. Evidence suggests active exploitation of this zero-day vulnerability began as early as late February 2026, approximately two months before cPanel released emergency patches.
Table Of Content
The vulnerability, rated with a CVSS score of 9.8 (Critical), resides within the Session.pm module of cPanel, specifically in how it processes HTTP Authorization headers during the login sequence. This flaw affects all cPanel & WHM versions beyond 11.40, as well as WP Squared (WordPress Squared) v136.1.7. cPanel acknowledged the issue and provided patches on April 28, 2026, though exploitation was already widespread.
Technical Deep Dive into CVE-2026-41940
The core of CVE-2026-41940 lies in the saveSession() function, which writes session data to disk prematurely, prior to invoking filter_sessiondata() for sanitization. This critical design flaw enables attackers to embed Carriage Return Line Feed (CRLF) characters directly into a Basic authorization header. When processed, these characters are written verbatim into the on-disk session file.
By injecting specific fields such as user=root, hasroot=1, and tfa_verified=1 into the session file, an attacker can effectively bypass authentication mechanisms. This allows them to forge a fully authenticated root WHM session without needing any valid credentials, granting complete control over the compromised server.
cPanelSniper: A Four-Stage Attack Chain
Security researcher Mitsec (@ynsmroztas) publicly released cPanelSniper on GitHub, a Python 3.8+ tool designed to automate the exploitation of CVE-2026-41940. The framework executes a precise four-stage attack chain:
- Stage 1 — It initiates a pre-authenticated WHM session using deliberately invalid credentials to acquire a
whostmgrsessioncookie. - Stage 2 — A meticulously crafted
Authorization: Basicheader containing the CRLF payload is injected, prompting thecpsrvdservice to write the manipulated session fields to disk. - Stage 3 — The internal
do_token_deniedgadget is triggered via/scripts2/listaccts, which flushes the raw session data into the cache and activates the injected fields. - Stage 4 — Full WHM root access is verified by querying
/json-api/version. A successful HTTP 200 response confirms the “PWNED” state, indicating full compromise.
cPanelSniper operates without external dependencies, relying solely on Python 3.8+ standard libraries. Its capabilities include bulk scanning, integration with reconnaissance tools like Subfinder and Shodan, interactive WHM shell access, and a suite of post-exploitation actions, such as command execution, account enumeration, and the creation of backdoor administrative accounts.
The Shadowserver Foundation reported on April 30, 2026, that approximately 44,000 unique IP addresses were observed either scanning for vulnerable targets, launching exploits, or conducting brute-force attacks against their honeypot sensors. This confirms the widespread nature of the exploitation.
Attention! cPanel/WHM CVE-2026-41940 attacks ongoing, with at least 44K IPs likely compromised & seen scanning our honeypots on 2026-04-30. Follow latest guidance to track for compromise & patch: https://t.co/z4sRvdaBwt
See Public Dashboard for stats: https://t.co/qFz265JDIK pic.twitter.com/m1aZvFEVlU
— The Shadowserver Foundation (@Shadowserver) May 1, 2026
The extent of this exposure is significant, with approximately 650,000 cPanel/WHM instances directly accessible from the internet and an estimated 1.5 million potentially vulnerable instances identified via Shodan. Attackers have leveraged this vulnerability for various malicious activities, including ransomware deployment, website defacement, and botnet recruitment. Due to the critical nature and active exploitation, CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog on May 1, 2026.
What You Should Do
cPanel has released emergency patches across all active branches to address CVE-2026-41940. System administrators must prioritize these updates immediately:
- Update Immediately: Ensure your cPanel & WHM installations are updated to the patched versions. The command
/scripts/upcp --forceshould be executed without delay. - Restart Services: After updating, restart the
cpsrvdandcpdavdservices to ensure the patches are fully applied. - Firewall Restrictions: Block inbound traffic on cPanel ports 2083, 2087, 2095, and 2096 at your firewall unless absolutely necessary for legitimate operations.
- Audit Sessions: Conduct an audit of session directories for any suspicious session files that may contain injected fields, indicating a potential compromise.
- Rotate Credentials: As a precautionary measure, all administrative credentials for cPanel and WHM should be rotated.
| Branch | Vulnerable ≤ | Patched Version |
|---|---|---|
| 110.x | 11.110.0.96 | 11.110.0.97 |
| 118.x | 11.118.0.62 | 11.118.0.63 |
| 126.x | 11.126.0.53 | 11.126.0.54 |
| 132.x | 11.132.0.28 | 11.132.0.29 |
| 134.x | 11.134.0.19 | 11.134.0.20 |
| 136.x | 11.136.0.4 | 11.136.0.5 |
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.