{"uuid": "8323d8cf-1ae1-46fb-80e2-61ac7b7c2ea2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41940", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/cpanel_whm_auth_bypass_rce.rb", "content": "{\"aliases\": [], \"arch\": \"cmd\", \"author\": [\"Sina Kheirkhah\", \"Adam Kues\", \"Shubham Shah\", \"Crypto-Cat\"], \"autofilter_ports\": [80, 8080, 443, 8000, 8888, 8880, 8008, 3000, 8443], \"autofilter_services\": [\"http\", \"https\"], \"check\": true, \"default_credential\": false, \"description\": \"Exploits CVE-2026-41940, a CRLF injection in cPanel/WHM's cpsrvd daemon\\n          that allows unauthenticated remote code execution as root.\\n\\n          The Basic-auth handler writes the password to the raw session file without\\n          stripping newlines. Omitting the ob-part of the session cookie bypasses the\\n          encoder, so injected fields land verbatim in the raw file. A subsequent\\n          request to /scripts2/listaccts triggers Cpanel::Session::Modify to promote\\n          those fields into the authoritative session cache, granting root WHM access.\\n\\n          RCE uses the WHM JSON API passwd endpoint to set a temporary root password,\\n          then delivers the payload over SSH. The password is rotated after exploitation.\\n          This module does not restore the original root password.\\n\\n          Affects all versions after 11.40. Fixed per branch: 11.86.0.41, 11.110.0.97,\\n          11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20,\\n          11.136.0.5 (cPanel/WHM) and 136.1.7 (WP2).\", \"disclosure_date\": \"2026-04-28\", \"fullname\": \"exploit/multi/http/cpanel_whm_auth_bypass_rce\", \"is_install_path\": true, \"mod_time\": \"2026-05-18 10:52:42 +0000\", \"name\": \"cPanel/WHM CRLF Injection Authentication Bypass RCE\", \"needs_cleanup\": null, \"notes\": {\"Reliability\": [\"repeatable-session\"], \"SideEffects\": [\"ioc-in-logs\", \"config-changes\"], \"Stability\": [\"crash-safe\"]}, \"path\": \"/modules/exploits/multi/http/cpanel_whm_auth_bypass_rce.rb\", \"platform\": \"Unix\", \"post_auth\": false, \"rank\": 600, \"ref_name\": \"multi/http/cpanel_whm_auth_bypass_rce\", \"references\": [\"CVE-2026-41940\", \"URL-https://support.cpanel.net/hc/en-us/articles/40073787579671\", \"URL-https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/\", \"URL-https://slcyber.io/research-center/high-fidelity-check-for-the-cpanel-authentication-bypass-cve-2026-41940/\", \"URL-https://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass/\"], \"rport\": 2087, \"session_types\": false, \"targets\": [\"Automatic\"], \"type\": \"exploit\"}", "creation_timestamp": "2026-05-18T12:22:19.000000Z"}