The web hosting world is reeling following the release of cPanelSniper, a weaponized proof-of-concept (PoC) exploit targeting a maximum-severity vulnerability in cPanel & WHM. Tracked as CVE-2026-41940, this authentication bypass allows attackers to gain full root access to a server without ever needing a username or password.
The scale of the disaster is massive. On April 30, 2026, the Shadowserver Foundation confirmed that over 44,000 unique IP addresses are actively participating in the exploit wave. With nearly 1.5 million potentially vulnerable instances visible on Shodan, this is currently one of the most significant infrastructure threats of the year.
The Vulnerability: Writing Your Own Access
At the heart of the crisis is a flaw in cPanel’s Session.pm module. The vulnerability is a classic “logic error” in how the system saves login data.
- The Flaw: The system writes session data to the server’s disk before it cleans the data.
- The Exploit: By embedding “Line Break” (CRLF) characters into a standard login header, an attacker can trick the server into writing extra lines into its own session file.
- The Payload: Attackers inject commands like
user=rootandhasroot=1. When cPanel reads that file back, it believes the user is already a fully verified administrator who has even passed Two-Factor Authentication (2FA).
Inside cPanelSniper: A Four-Stage Death Blow
Publicly released on GitHub by researcher Mitsec, the cPanelSniper framework automates the entire attack. It doesn’t just bypass the login; it provides an interactive “root shell” for the attacker.
- Minting: It creates a “ghost” session cookie using fake credentials.
- Poisoning: It sends the malicious “Authorization” header to write the
rootfields to the disk. - Activation: It triggers a specific script (
/scripts2/listaccts) that forces the server to load the poisoned session data. - Verification: It queries the server’s version API. If it receives a successful response, the server is flagged as “PWNED.”
The “Zero-Day” Timeline
While cPanel issued emergency patches on April 28, 2026, evidence shows that hackers have been quietly exploiting this flaw since February 23. This means organizations were being breached for two months before a fix was even available.
Due to the extreme risk, CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog on May 1, 2026, ordering federal agencies to patch immediately.
Remediation: Secure Your Server Now
If you run a cPanel/WHM server, you must treat this as a “Code Red” event.
- Update Immediately: Run the command
/scripts/upcp --forceto pull the emergency patch. Ensure your version is at least 11.136.0.5 (for the 136.x branch) or the equivalent for your version. - Restart Services: You must restart
cpsrvdandcpdavdfor the patch to take effect. - Firewall Lockdown: Block inbound traffic on cPanel ports 2083, 2087, 2095, and 2096 at the network perimeter, allowing access only from trusted IP addresses.
- Audit Sessions: Check your session directories for any files containing
user=rootinjections. If found, assume the server is fully compromised and begin incident response.
