cPanelSniper \u2013 PoC Exploit Disclosed for cPanel Vulnerability, 44,000 Servers Compromised
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A weaponized proof-of-concept (PoC) exploit framework dubbed \u201ccPanelSniper\u201d has been publicly released for CVE-2026-41940<\/a>, a maximum-severity authentication bypass in cPanel & WHM that has already led to the compromise of tens of thousands of servers worldwide with attack activity traced as far back as late February 2026.<\/p>\n CVE-2026-41940 is a critical pre-authentication flaw rooted in how cPanel\u2019s The vulnerability stems from the An attacker can inject fields such as The flaw carries a CVSS score of 9.8 (Critical) and affects all cPanel & WHM versions after 11.40, as well as WP Squared (WordPress Squared) v136.1.7. cPanel disclosed the issue on April 28, 2026, and issued emergency patches the same day, but exploitation was already actively underway.<\/p>\n Released publicly on GitHub<\/a> by security researcher Mitsec (@ynsmroztas), cPanelSniper automates exploitation through a precise four-stage attack chain:<\/p>\n The tool requires no external dependencies; it is pure Python 3.8+ stdlib and supports bulk scanning, pipeline integration with tools like Subfinder and Shodan<\/a>, interactive WHM shell access, and post-exploitation actions including command execution, account enumeration, and backdoor admin creation.<\/p>\n The Shadowserver Foundation confirmed on April 30, 2026, that 44,000 unique IP addresses were observed scanning for victims, launching exploits, or conducting brute-force attacks against their honeypot sensors.<\/p>\nSession.pm<\/code> module handles HTTP Authorization<\/code> headers during login.<\/p>\nsaveSession()<\/code> function writing session data to disk before<\/em> calling filter_sessiondata()<\/code> for sanitization \u2014 meaning CRLF characters embedded in a Basic<\/code> authorization header are written verbatim into the on-disk session file.<\/p>\nuser=root<\/code>, hasroot=1<\/code>, and tfa_verified=1<\/code> directly into the session file, effectively forging a fully authenticated root WHM session without any valid credentials.<\/p>\ncPanelSniper: Four-Stage Exploit Chain<\/strong><\/h2>\n
\n
whostmgrsession<\/code> cookie<\/li>\nAuthorization: Basic<\/code> header, causing cpsrvd<\/code> to write poisoned session fields to disk<\/li>\ndo_token_denied<\/code> gadget via \/scripts2\/listaccts<\/code>, flushing raw session data into the cache and activating the injected fields<\/li>\n\/json-api\/version<\/code>, returning HTTP 200 and confirming a \u201cPWNED\u201d state<\/li>\n<\/ul>\n