CATASTROPHIC: 70 Million Websites Hacked—cPanel 0-Day Lets Attackers Wipe Your Server with 5 HTTP Requests + Video

Listen to this Post

Featured Image

Introduction:

A critical authentication bypass vulnerability in cPanel & WHM, tracked as CVE-2026-41940 with a CVSS score of 9.8, is being actively exploited in the wild after being used for over 60 days before disclosure. The flaw allows unauthenticated remote attackers to inject a CRLF payload that grants them root-level access to the hosting control panel in just five HTTP requests, effectively bypassing passwords and two-factor authentication entirely. With over 1.5 million cPanel instances exposed online and approximately 70 million websites potentially affected, this represents one of the most significant web hosting infrastructure threats in recent history.

Learning Objectives:

  • Understand the technical mechanics of the CRLF injection authentication bypass and the four-step exploitation chain.
  • Learn to detect compromise using vendor-supplied indicators of compromise (IOCs) and forensic analysis of session files.
  • Implement immediate patching, firewall mitigation, and post-compromise remediation for affected cPanel & WHM servers.

You Should Know:

  1. CRLF Injection Meets Session Poisoning—Anatomy of a 5‑Request Root Takeover

CVE-2026-41940 resides in the authentication layer of cPanel & WHM, including DNSOnly deployments, affecting all versions after 11.40. The root cause is a failure to sanitize newline characters in the Authorization header during the pre‑authentication session creation process. The cpsrvd service writes user‑supplied input from the Basic Auth header directly into a raw session file on disk, bypassing the `filter_sessiondata()` sanitization function that normally strips CR/LF characters.

The exploit unfolds in four precise steps. First, the attacker sends a failed login request to mint a pre‑authentication session, receiving a base session identifier. Second, they craft a GET request with an Authorization header containing a CRLF‑injected payload (e.g., \r\nuser=root\r\nhasroot=1\r\ntfa_verified=1) and a cookie without the obfuscation suffix, causing these malicious key‑value pairs to be written verbatim into the raw session file. Third, they trigger the `do_token_denied()` handler, which forces the server to re‑parse the raw session file and promotes the injected attributes into the JSON cache. Finally, the attacker accesses a WHM API endpoint and is granted fully authenticated root access without a password.

Key technical insight: the Perl interpreter’s randomized hash iteration order introduces a race condition where the legitimate `cp_security_token` may overwrite the attacker’s injected one. However, the exploit retries the attack chain multiple times (typically up to five) until the poisoning succeeds. The watchTowr PoC script targets port 2087 (WHM) and successfully confirms exploitation against vulnerable instances running builds such as 11.110.0.89 and earlier.

Step‑by‑step detection and verification:

 Verify cPanel version
/usr/local/cpanel/cpanel -V

Check for vulnerable builds (pre‑patch versions)
/scripts/upcp --force

To test for vulnerability in an authorized environment, the watchTowr detection script can be executed:

python3 authbypass-RCE.py --target https://target:2087/
  1. Hunting for Compromise—IOC Detection Scripts and Forensic Indicators

Given that exploitation has been active since at least February 23, 2026, simply patching is insufficient. Every server must undergo forensic analysis to identify whether it suffered a silent compromise during the exposure window. cPanel has released an official detection script (ioc_checksessions_files.sh) that scans for several high‑confidence indicators.

The primary IOC to hunt for is the combination of `token_denied` and `cp_security_token` coexisting in a session file with `origin_as_string` containing method=badpass. This pattern indicates that an attacker injected a token and then attempted to use it, triggering a token mismatch. Additionally, any pre‑auth session file that contains authenticated attributes such as successful_external_auth_with_timestamp, user=root, or `hasroot=1` is a definitive sign of compromise.

Forensic examiners should also analyze `access_log` for the presence of the injected token value (/cpsess......) with HTTP 200 status codes, review `/var/log/wtmp` for unauthorized SSH logins, and search for backdoors including unexpected cron entries, added SSH keys, and web shells in cPanel user home directories.

Step‑by‑step incident response and evidence collection:

 Download and run the cPanel IOC detection script
curl -O https://support.cpanel.net/hc/en-us/article_attachments/.../ioc_checksessions_files.sh
chmod +x ioc_checksessions_files.sh
./ioc_checksessions_files.sh --verbose

Manual inspection of suspicious session files
ls -la /var/cpanel/sessions/raw/
cat /var/cpanel/sessions/raw/[bash]

Extract attacker IP addresses from access logs
grep -E "POST /login/|GET /cpsess" /usr/local/cpanel/logs/access_log | awk '{print $1}' | sort -u

3. Emergency Mitigation—Patch, Block, or Stop

The only complete fix is to update to a patched version. cPanel has released emergency updates for all affected release tiers. Administrators must force an update immediately, verify the new build, and restart the `cpsrvd` service. However, any server that has had automatic updates disabled or version pinning applied must be manually remediated as a priority.

If patching is impossible in the immediate short term, two defensive options exist. First, block inbound traffic on the affected ports at the network firewall: 2082, 2083 (cPanel), 2086, 2087 (WHM), 2095, 2096 (webmail). Second, stop the `cpsrvd` and `cpdavd` services entirely via WHM API commands, which will prevent any access to the control panel interfaces.

Step‑by‑step patching and firewall hardening:

 Force update cPanel to patched version
/scripts/upcp --force

Verify updated build version
/usr/local/cpanel/cpanel -V

Restart cPanel service
/scripts/restartsrv_cpsrvd --hard

For CentOS 6 or CloudLinux 6 legacy systems
whmapi1 set_tier tier=11.110.0.103
/scripts/upcp --force

Block affected ports with iptables (Linux)
iptables -A INPUT -p tcp --dport 2082 -j DROP
iptables -A INPUT -p tcp --dport 2083 -j DROP
iptables -A INPUT -p tcp --dport 2086 -j DROP
iptables -A INPUT -p tcp --dport 2087 -j DROP
iptables -A INPUT -p tcp --dport 2095 -j DROP
iptables -A INPUT -p tcp --dport 2096 -j DROP

Stop cpsrvd and cpdavd services as emergency measure
whmapi1 configureservice service=cpsrvd enabled=0 monitored=0
whmapi1 configureservice service=cpdavd enabled=0 monitored=0
/scripts/restartsrv_cpsrvd --stop
/scripts/restartsrv_cpdavd --stop
  1. Post‑Breach Recovery—Full Rotation of Credentials and Backdoor Hunting

Systems that were vulnerable during the exploitation window (late February 2026 onward) must be treated as compromised even if no obvious IOC is found. Attackers could have injected backdoors that are not caught by the initial IOC scanner. The mandatory remediation steps include:

Force a password reset for the root user and every WHM user account. Regenerate all API tokens, including cPanel API tokens and WHM API tokens, as these could have been exfiltrated. Rotate all SSL private keys for every hosted domain, as an attacker with root access could have copied them. Rebuild user passwords for all cPanel hosting accounts, as password hashes may have been stolen from `/etc/shadow` or the MySQL `mysql.user` table.

Most critically, inspect the `authorized_keys` file for root and all user accounts, audit cron jobs (/var/spool/cron/ and /etc/crontab) for persistence, and search for web shells in the cPanel user directory structure (e.g., find /home//public_html -name ".php" -exec grep -l "eval(" {} \;).

Step‑by‑step credential rotation and backdoor hunting:

 Rotate root password
passwd root

Regenerate cPanel API tokens via command line
whmapi1 refresh_service_token service=cpanel

List and remove unauthorized SSH keys
cat /root/.ssh/authorized_keys
 Manually edit to remove unknown keys

Audit system crontab
cat /etc/crontab
ls -la /etc/cron.d/
ls -la /var/spool/cron/

Search for common web shells in cPanel accounts
find /home//public_html -name ".php" -exec grep -l "eval (" {} \; -exec grep -l "base64_decode" {} \;
find /home//public_html -name ".pl" -o -name ".cgi" -exec grep -l "system(" {} \;

What Undecode Says:

  • Silent breaches are the new norm. With CVE-2026-41940 being exploited for over 60 days before public disclosure, the industry has starkly shifted from chasing zero‑days to remediating silent, long‑term compromises that likely occured in your environment months ago. Patch cycles have proven insufficient; proactive threat hunting and forensic readiness are no longer optional.

  • Vulnerabilities are not getting more complex—defenders are getting slower. This flaw is a CRLF injection, a bug class from the early 2000s. The simple reality is that while defenders invest in AI defenses, a basic newline injection is still bypassing authentication on major infrastructure platforms. The bottleneck has shifted from “do we have AI defense” to “have we patched 2003.”

Prediction:

The fallout from CVE-2026-41940 will result in multiple major data breaches over the next 6‑12 months as attackers who gained root access between February and April of 2026 are discovered. We predict a wave of class‑action lawsuits against hosting providers that failed to patch promptly, increased government regulation mandating faster disclosure windows for actively exploited zero‑days, and a permanent shift toward immutable infrastructure where control panel access is ephemeral and continuously validated. Additionally, expect China’s MSS and Russia’s APT groups to have heavily leveraged this vulnerability for supply chain compromise across the hosting ecosystem.

▶️ Related Video (78% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Cybersecuritynews Cpanel – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky