Weaponized cPanelSniper PoC Supercharges Global Exploitation of CVE-2026-41940

A newly weaponized exploit framework dubbed cPanelSniper is turbo‑charging mass exploitation of CVE‑2026‑41940, a critical pre-authentication bypass in cPanel & WHM that has already led to large‑scale server compromise worldwide.

With public PoC code, active scanning, and millions of exposed instances, this zero‑day turned n‑day is now one of the highest‑priority patch‑now events for hosting providers and MSPs.

CVE‑2026‑41940 is a maximum‑severity authentication bypass (CVSS 9.8) affecting all supported cPanel & WHM versions after 11.40, as well as WP Squared (WP2) up to v136.1.7.

The flaw allows unauthenticated remote attackers to obtain full WHM root access and effectively seize control of entire hosting environments, including sites, databases, and configuration.

The bug resides in cPanel’s Perl‑based session handling, specifically the Session.pm module and its saveSession() logic. During login, saveSession() writes session data to disk before filter_sessiondata() sanitizing it, meaning CRLF characters embedded in an HTTP Authorization: Basic header are persisted verbatim into the raw session file on disk.

An attacker can inject fake key‑value pairs such as user=root, hasroot=1, and tfa_verified=1 into this session file, forging a fully authenticated root WHM session without valid credentials or MFA.

cPanel publicly disclosed the issue on April 28, 2026, describing it as an “issue with session loading and saving,” and simultaneously shipped fixes across all active branches. However, honeypot telemetry and vendor reporting confirm that exploitation had already been underway for weeks before disclosure.

Threat Landscape and Real‑World Impact

This vulnerability is uniquely dangerous because cPanel & WHM is almost always internet‑facing and widely deployed across shared hosting providers, VPS fleets, and managed hosting platforms.

A simple Shodan search returns roughly 1.5 million exposed cPanel/WHM instances, with around 650,000 believed to be directly reachable and potentially vulnerable depending on patch level.

The Shadowserver Foundation reported that, by April 30, 2026, more than 44,000 unique IPs were seen scanning for, exploiting, or brute‑forcing cPanel endpoints, indicating broad, opportunistic abuse at scale.

Telemetry and incident reports show exploitation dating back to at least February 23, 2026, meaning attackers enjoyed roughly a two‑month zero‑day window before any patches were available.

Observed outcomes span ransomware deployment on hosted tenants, website defacement on high‑traffic domains, credential theft, and enrollment of compromised servers into botnets for DDoS and proxy infrastructure.

Recognizing the severity and active exploitation, CISA added CVE‑2026‑41940 to its Known Exploited Vulnerabilities (KEV) catalog on May 1, 2026, effectively making patching this flaw a compliance requirement for U.S. federal agencies and a de facto priority for any regulated environment.

Security advisories from national CSIRTs and multiple vendors echo the need for immediate remediation and robust compromise assessment, rather than treating this as a routine patch-cycle item.

cPanelSniper: Weaponizing the Exploit Chain

The public release of cPanelSniper, authored by security researcher Mitsec (@ynsmroztas) and published as a Python‑based framework on GitHub, dramatically lowers the barrier to exploitation.

Written purely with Python 3.8+ standard library dependencies, the tool is turnkey and supports both single‑target exploitation and bulk operations, making it suitable for integration into scanning pipelines.

cPanelSniper automates a four‑stage exploit chain:

Stage 1 – Pre‑auth session minting
The tool initiates a WHM login with deliberately invalid credentials, forcing cPanel to create a new WHM session and return a whostmgrsession cookie while still in an unauthenticated state.
Stage 2 – CRLF injection into the session
It then crafts an Authorization: Basic header whose base64‑decoded value includes CRLF characters followed by attacker‑controlled key=value lines (for example user=root, hasroot=1, tfa_verified=1). Because saveSession() writes the raw payload to /var/cpanel/sessions/raw/<session> Before sanitization, these malicious fields are included in the session file.
Stage 3 – Triggering do_token_denied gadget
By requesting /scripts2/listaccts under a specific cpsess token, the attacker triggers the internal do_token_denied logic, which re‑parses the now multi‑line session file and pushes the injected fields into the in‑memory session cache. This effectively activates the forged root session context.
Stage 4 – Root WHM verification and post‑exploitation
Finally, the tool queries /json-api/version over WHM; an HTTP 200 response with version metadata confirms full root‑level WHM access, at which point the framework marks the host as “PWNED” and exposes interactive post‑exploitation modules.

Once access is established, cPanelSniper supports command execution via WHM interfaces, account enumeration, creation of backdoor admin accounts, and chaining into additional tooling for mass deployment of web shells or implants across customer accounts.

It also integrates cleanly with external discovery tools like Subfinder and Shodan to enable large‑scale targeting from recon to exploitation within a single pipeline.

Detection, Mitigation, and Hardening

cPanel released emergency updates on all active branches, with patched versions as follows:

110.x: vulnerable ≤ 11.110.0.96, patched in 11.110.0.97
118.x: vulnerable ≤ 11.118.0.62, patched in 11.118.0.63
126.x: vulnerable ≤ 11.126.0.53, patched in 11.126.0.54
132.x: vulnerable ≤ 11.132.0.28, patched in 11.132.0.29
134.x: vulnerable ≤ 11.134.0.19, patched in 11.134.0.20
136.x: vulnerable ≤ 11.136.0.4, patched in 11.136.0.5

Administrators should immediately force an update with scripts/upcp --force, then restart the cpsrvd and cpdavd services to ensure the patched authentication flow is fully active.

Firewalls should temporarily restrict or geo‑fence access to cPanel‑related ports (2083, 2087, 2095, 2096) and ideally limit WHM access to known management IPs or VPN ranges.

From a detection and incident‑response standpoint, teams should:

Inspect /var/cpanel/sessions/raw/ for anomalous or multi‑line session files containing injected fields like user=root, hasroot=1, tfa_verified=1, or unexpected key‑value pairs.
Review WHM logs, access logs, and API logs for suspicious access to /scripts2/listaccts, /json-api/version, and other administrative endpoints from untrusted IP addresses.
Hunt for new or modified WHM and cPanel accounts, especially high‑privilege users created outside of normal change windows.
Scan for web shells, unexpected cron jobs, and unauthorized SSH keys across hosted accounts, as many threat actors use this vulnerability as an initial access vector before pivoting laterally.

Attention! cPanel/WHM CVE-2026-41940 attacks ongoing, with at least 44K IPs likely compromised & seen scanning our honeypots on 2026-04-30. Follow latest guidance to track for compromise & patch: https://t.co/z4sRvdaBwt

See Public Dashboard for stats: https://t.co/qFz265JDIK pic.twitter.com/m1aZvFEVlU
— The Shadowserver Foundation (@Shadowserver) May 1, 2026

Given the length of the zero‑day window and the scale of opportunistic scanning, organizations should assume compromise is possible on any unpatched system that was internet‑reachable during the February–April 2026 timeframe and perform full compromise assessments rather than relying solely on version checks.

Long-term, hardening should include enforcing MFA for all admin interfaces, isolating control planes behind VPNs, and reducing public exposure of management planes wherever feasible.

Quick FAQ

What is CVE‑2026‑41940?
CVE‑2026‑41940 is a critical pre‑authentication bypass in cPanel & WHM that lets remote attackers gain root‑level WHM access without valid credentials.

What is cPanelSniper?
cPanelSniper is a publicly released Python exploit framework that weaponizes CVE‑2026‑41940 into an automated four‑stage attack chain, from session minting to full root takeover.

How widespread is exploitation?
Telemetry shows tens of thousands of attacking IPs and exploitation activity dating back to at least February 23, 2026, targeting hundreds of thousands of exposed cPanel instances.

How do I protect my servers?
Immediately update to the latest patched cPanel & WHM or WP2 versions, restrict access to management ports, and audit session files, logs, and accounts for signs of compromise.

Site: thecybrdef.com

For more insights and updates, follow us on Google News, Twitter, and LinkedIn.