InfoSecBulletin Cybersecurity for mankind
A weaponized proof-of-concept (PoC) exploit framework dubbed “cPanelSniper” has been publicly released for CVE-2026-41940, a maximum-severity authentication bypass in cPanel & WHM that has already led to the compromise of tens of thousands of servers worldwide with attack activity traced as far back as late February 2026.
CVE-2026-41940 is a serious flaw that happens before authentication. It comes from how cPanel’s Session.pm module deals with HTTP Authorization headers when you log in.
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
The flaw has a CVSS score of 9.8 (Critical) and it affects all cPanel & WHM versions after 11.40, as well as WP Squared (WordPress Squared) v136.1.7. cPanel announced the issue on April 28, 2026, and released urgent patches on that day, but people were already trying to exploit it.
cPanelSniper: Four-Stage Exploit Chain
cPanelSniper is a tool that automates attacks in four steps, released on GitHub by a security expert named Mitsec (@ynsmroztas).
Stage 1: Mints a pre-auth WHM session using intentionally invalid credentials, obtaining a whostmgrsession cookie
Stage 2: Injects CRLF payload via a crafted Authorization: Basic header, causing cpsrvd to write poisoned session fields to disk
Stage 3: Triggers the internal do_token_denied gadget via /scripts2/listaccts, flushing raw session data into the cache and activating the injected fields
Stage 4: Verifies full WHM root access by querying /json-api/version, returning HTTP 200 and confirming a “PWNED” state
The tool doesn’t need any extra software; it only uses built-in Python 3.8+ libraries. It can scan many accounts at once, work with tools like Subfinder and Shodan, allow interactive access to WHM, and perform actions after gaining access, like running commands, listing accounts, and creating hidden admin accounts.
The Shadowserver Foundation said on April 30, 2026, that they saw 44,000 different IP addresses looking for targets, using exploits, or doing brute-force attacks on their honeypot sensors.
Exploitation started as early as February 23, 2026, showing that attackers used this zero-day about two months before a fix was available. The results of this include ransomware attacks, changes to websites, and recruiting for botnets.
The number of exposed systems is worrying: about 650,000 cPanel/WHM instances are visible on the internet, and around 1.5 million possibly vulnerable ones were found using Shodan.
Mitigations
cPanel rolled out emergency patches across all active branches:
| Branch | Vulnerable ≤ | Patched Version |
|---|---|---|
| 110.x | 11.110.0.96 | 11.110.0.97 |
| 118.x | 11.118.0.62 | 11.118.0.63 |
| 126.x | 11.126.0.53 | 11.126.0.54 |
| 132.x | 11.132.0.28 | 11.132.0.29 |
| 134.x | 11.134.0.19 | 11.134.0.20 |
| 136.x | 11.136.0.4 | 11.136.0.5 |
Administrators should quickly update using /scripts/upcp –force, restart the cpsrvd and cpdavd services, and block incoming traffic on cPanel ports 2083, 2087, 2095, and 2096 at the firewall.
