cPanelSniper PoC Exploit for cPanel Vulner Disclosed Vulnerability

A weaponized proof-of-concept (PoC) exploit framework, dubbed “cPanelSniper,” has been publicly released for CVE-2026-41940. This maximum-severity authentication bypass in cPanel & WHM has already led to the compromise of tens of thousands of servers worldwide, with attack activity traced as far back as late February 2026.

CVE-2026-41940 is a critical pre-authentication flaw rooted in how cPanel’s Session.pm module handles HTTP Authorization headers during login.

The vulnerability stems from the saveSession() function writing session data to disk before calling filter_sessiondata() for sanitization — meaning CRLF characters embedded in a Basic authorization header are written verbatim into the on-disk session file.

An attacker can inject fields such as user=root, hasroot=1, and tfa_verified=1 directly into the session file, effectively forging a fully authenticated root WHM session without any valid credentials.

The flaw carries a CVSS score of 9.8 (Critical) and affects all cPanel & WHM versions after 11.40, as well as WP Squared (WordPress Squared) v136.1.7. cPanel disclosed the issue on April 28, 2026, and issued emergency patches the same day, but exploitation was already actively underway.

cPanelSniper: Four-Stage Exploit Chain

Released publicly on GitHub by security researcher Mitsec (@ynsmroztas), cPanelSniper automates exploitation through a precise four-stage attack chain:

• Stage 1 — Mints a pre-auth WHM session using intentionally invalid credentials, obtaining a whostmgrsession cookie
• Stage 2 — Injects CRLF payload via a crafted Authorization: Basic header, causing cpsrvd to write poisoned session fields to disk
• Stage 3 — Triggers the internal do_token_denied gadget via /scripts2/listaccts, flushing raw session data into the cache and activating the injected fields
• Stage 4 — Verifies full WHM root access by querying /json-api/version, returning HTTP 200 and confirming a “PWNED” state

The tool requires no external dependencies; it is pure Python 3.8+ stdlib and supports bulk scanning, pipeline integration with tools like Subfinder and Shodan, interactive WHM shell access, and post-exploitation actions including command execution, account enumeration, and backdoor admin creation.

The Shadowserver Foundation confirmed on April 30, 2026, that 44,000 unique IP addresses were observed scanning for victims, launching exploits, or conducting brute-force attacks against their honeypot sensors.

Exploitation activity has been traced back to at least February 23, 2026, indicating that attackers were exploiting this zero-day roughly two months before any patch existed. Attack outcomes include ransomware deployment, website defacements, and botnet recruitment.

The scale of exposure is alarming: approximately 650,000 cPanel/WHM instances remain internet-facing, with roughly 1.5 million potentially vulnerable instances identified via Shodan.

CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog on May 1, 2026.

Mitigations

cPanel rolled out emergency patches across all active branches:

Administrators should immediately update via /scripts/upcp --force, restart the cpsrvd and cpdavd services, and block inbound traffic on cPanel ports 2083, 2087, 2095, and 2096 at the firewall.

Security teams should audit session directories for suspicious session files containing injected fields and rotate all administrative credentials as a precaution.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.