cPanelSniper – PoC Exploit Disclosed for cPanel Vulnerability, 44,000 Servers Compromised

HomeCyber Security News cPanelSniper – PoC Exploit Disclosed for cPanel Vulnerability, 44,000 Servers Compromised By Guru Baran May 2, 2026 A weaponized proof-of-concept (PoC) exploit framework dubbed “cPanelSniper” has been publicly released for CVE-2026-41940, a maximum-severity authentication bypass in cPanel & WHM that has already led to the compromise of tens of thousands of servers worldwide with attack activity traced as far back as late February 2026. CVE-2026-41940 is a critical pre-authentication flaw rooted in how cPanel’s Session.pm module handles HTTP Authorization headers during login. The vulnerability stems from the saveSession() function writing session data to disk before calling filter_sessiondata() for sanitization — meaning CRLF characters embedded in a Basic authorization header are written verbatim into the on-disk session file. An attacker can inject fields such as user=root, hasroot=1, and tfa_verified=1 directly into the session file, effectively forging a fully authenticated root WHM session without any valid credentials. The flaw carries a CVSS score of 9.8 (Critical) and affects all cPanel & WHM versions after 11.40, as well as WP Squared (WordPress Squared) v136.1.7. cPanel disclosed the issue on April 28, 2026, and issued emergency patches the same day, but exploitation was already actively underway. cPanelSniper: Four-Stage Exploit Chain Released publicly on GitHub by security researcher Mitsec (@ynsmroztas), cPanelSniper automates exploitation through a precise four-stage attack chain: Stage 1 — Mints a pre-auth WHM session using intentionally invalid credentials, obtaining a whostmgrsession cookie Stage 2 — Injects CRLF payload via a crafted Authorization: Basic header, causing cpsrvd to write poisoned session fields to disk Stage 3 — Triggers the internal do_token_denied gadget via /scripts2/listaccts, flushing raw session data into the cache and activating the injected fields Stage 4 — Verifies full WHM root access by querying /json-api/version, returning HTTP 200 and confirming a “PWNED” state The tool requires no external dependencies; it is pure Python 3.8+ stdlib and supports bulk scanning, pipeline integration with tools like Subfinder and Shodan, interactive WHM shell access, and post-exploitation actions including command execution, account enumeration, and backdoor admin creation. The Shadowserver Foundation confirmed on April 30, 2026, that 44,000 unique IP addresses were observed scanning for victims, launching exploits, or conducting brute-force attacks against their honeypot sensors. ATTENTION! CPANEL/WHM CVE-2026-41940 ATTACKS ONGOING, WITH AT LEAST 44K IPS LIKELY COMPROMISED & SEEN SCANNING OUR HONEYPOTS ON 2026-04-30. FOLLOW LATEST GUIDANCE TO TRACK FOR COMPROMISE & PATCH: HTTPS://T.CO/Z4SRVDABWT SEE PUBLIC DASHBOARD FOR STATS: HTTPS://T.CO/QFZ265JDIK PIC.TWITTER.COM/M1AZVFEVLU — The Shadowserver Foundation (@Shadowserver) May 1, 2026 Exploitation activity has been traced back to at least February 23, 2026, indicating that attackers were exploiting this zero-day roughly two months before any patch existed. Attack outcomes include ransomware deployment, website defacements, and botnet recruitment. The scale of exposure is alarming: approximately 650,000 cPanel/WHM instances remain internet-facing, with roughly 1.5 million potentially vulnerable instances identified via Shodan. CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog on May 1, 2026. Mitigations cPanel rolled out emergency patches across all active branches: Branch Vulnerable ≤ Patched Version 110.x 11.110.0.96 11.110.0.97 118.x 11.118.0.62 11.118.0.63 126.x 11.126.0.53 11.126.0.54 132.x 11.132.0.28 11.132.0.29 134.x 11.134.0.19 11.134.0.20 136.x 11.136.0.4 11.136.0.5 Administrators should immediately update via /scripts/upcp --force, restart the cpsrvd and cpdavd services, and block inbound traffic on cPanel ports 2083, 2087, 2095, and 2096 at the firewall. Security teams should audit session directories for suspicious session files containing injected fields and rotate all administrative credentials as a precaution. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News FBI and CISA Released Zero Trust Principles Implementation Guide for OT Environments Vimeo Confirms Data Breach – Hackers Accessed Users Database New Spyware Platform Lets Buyers Rebrand and Resell Android Surveillance Malware Critical Wireshark Vulnerabilities Let Attackers Execute Arbitrary Code Via Malformed Packets Checkmarx Confirms GitHub Repository Data Published on Dark Web Latest News Cyber Attack News Hackers Breach Government and Military Servers by Exploiting cPanel Vulnerability Cyber Security News Multiple Exim Mail Server Vulnerabilities Leads to Crash with Malicious DNS data Cyber Security News Attackers Deploy AiTM Phishing Pages to Access SharePoint, HubSpot, and Google Workspace Cyber Security News Attackers Abuse Google AppSheet, Netlify, and Telegram in Facebook Phishing Campaign Press Release Criminal IP and Securonix ThreatQ Collaborate to Enhance Threat Intelligence Operations