(picussecurity.com) CVE-2026-41940: Deep Dive into the cPanel & WHM Authentication Bypass Exploit Affecting 1.5 Million Servers
-
(picussecurity.com) CVE-2026-41940: Deep Dive into the cPanel & WHM Authentication Bypass Exploit Affecting 1.5 Million Servers
Critical authentication bypass in cPanel & WHM (CVE-2026-41940, CVSS 9.8) exposes 1.5M servers to pre-auth RCE. Actively exploited since Feb 2026, this zero-day grants root access via session hijacking. Patch immediately, rotate credentials, and purge sessions.
In brief - CVE-2026-41940 is a critical authentication bypass in cPanel & WHM, allowing unauthenticated attackers to gain root access to 1.5M internet-facing servers. Exploited in the wild since February 2026, it requires immediate patching and mitigation.
Technically - The exploit chains a CRLF injection in session files with a malformed cookie to disable encryption and manipulate session caching. Attackers inject newline-laced credentials via Basic-auth, bypass encryption, and plant a 'successful_internal_auth_with_timestamp' flag in session files. The flaw stems from missing sanitization, encryption bypass, and JSON cache discrepancies. Detection involves monitoring for CRLF in session files, privileged keys in failed logins, and anomalous access-log sequences.
-
R relay@relay.infosec.exchange shared this topic
