A weaponized proof-of-concept exploit framework called cPanelSniper has been publicly released for CVE-2026-41940, a maximum-severity authentication bypass vulnerability in cPanel and WHM. The flaw — carrying a CVSS score of 9.8 — has already resulted in the confirmed compromise of over 44,000 servers worldwide, with exploitation traced back to late February 2026, nearly two months before any patch existed.
The Vulnerability: Session File Injection
CVE-2026-41940 is a critical pre-authentication flaw rooted in how cPanel’s Session.pm module handles HTTP Authorization headers during the login process. The vulnerability stems from a sequencing error in the saveSession() function, which writes session data to disk before the sanitization function filter_sessiondata() is called.
This means that CRLF characters embedded within a Basic Authorization header are written verbatim into the on-disk session file, before any filtering occurs. An attacker can craft a malicious Authorization header that injects arbitrary fields directly into the session record — including user=root, hasroot=1, and tfa_verified=1 — effectively forging a fully authenticated root WHM session without possessing any valid credentials whatsoever.
The flaw affects all cPanel and WHM versions released after 11.40, as well as WP Squared (WordPress Squared) v136.1.7. cPanel disclosed the issue on April 28, 2026 and issued emergency patches the same day.
cPanelSniper: Four-Stage Automated Exploitation
Security researcher Mitsec (GitHub: @ynsmroztas) published cPanelSniper publicly on GitHub, automating exploitation through a precise four-stage attack chain. The tool is written in pure Python 3.8+ using only standard library modules — requiring no external dependencies — making it trivial to deploy and run on any system.
Key capabilities of the framework include:
- Bulk scanning with pipeline integration for tools such as Subfinder and Shodan
- Automated session file injection to forge root WHM authentication
- Interactive WHM shell access on successfully compromised targets
- Post-exploitation actions including remote command execution, account enumeration, and backdoor admin account creation
The release of a functional, dependency-free exploit framework for a CVSS 9.8 flaw affecting hundreds of thousands of internet-exposed servers dramatically lowers the barrier to exploitation, placing even opportunistic, low-skill attackers in a position to compromise cPanel-managed hosting environments at scale.
Massive Scale of Compromise
The Shadowserver Foundation confirmed on April 30, 2026 that 44,000 unique IP addresses were observed in their honeypot sensors scanning for vulnerable targets, launching exploits, or conducting brute-force attacks. Forensic evidence indicates that active exploitation began as early as February 23, 2026 — meaning attackers had roughly two months of undetected, zero-day exploitation before cPanel was notified and patches were developed.
Shodan reconnaissance reveals that approximately 650,000 cPanel/WHM instances remain internet-facing, with an estimated 1.5 million potentially vulnerable instances across the broader web. Attack outcomes documented in the wild include ransomware deployment, website defacements, and botnet recruitment campaigns.
CISA formally added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog on May 1, 2026, triggering mandatory remediation timelines for US federal agencies.
Emergency Patches and Immediate Actions
cPanel has released emergency patches across all active branches. Administrators are urged to take immediate action:
- Run
/scripts/upcp --forceto apply the latest patches immediately - Restart
cpsrvdandcpdavdservices after patching - Block inbound traffic on cPanel ports 2083, 2087, 2095, and 2096 at the firewall for any hosts not yet patched
- Audit session directories for suspicious session files containing injected fields such as
hasroot=1ortfa_verified=1 - Rotate all administrative credentials as a precaution, even on systems showing no immediate signs of compromise
- Review WHM audit logs for unauthorized account creation, configuration changes, and evidence of backdoor admin accounts
Given that exploitation has been actively underway for months and that a fully functional public exploit now exists, any unpatched cPanel/WHM server should be treated as potentially already compromised. Forensic investigation and credential rotation are recommended alongside patching — applying the patch alone is insufficient if attackers have already established persistence.