## https://sploitus.com/exploit?id=A1919996-9F4F-599A-85F6-A2D1DE5E0A8D
# CVE-2026-41940: cPanel/WHM Authentication Bypass
> **Disclaimer:** This document and the associated script (`exploit.py`) are provided strictly for educational purposes, security research, and authorized penetration testing. Do not use this software against systems you do not own or do not have explicit permission to test.
## Overview
`exploit.py` is a Proof of Concept (PoC) script demonstrating an authentication bypass vulnerability (CVE-2026-41940) in cPanel & WHM. The vulnerability allows an unauthenticated attacker to inject a forged root session into the daemon cache via a CRLF injection flaw, ultimately granting root-level WHM access without requiring valid credentials.
## Vulnerability Analysis & Exploit Flow
The exploit works by leveraging a CRLF (Carriage Return Line Feed) injection vulnerability within the Basic Authentication handling mechanism, combined with a session propagation flaw. The script automates the attack in four primary stages:
1. **Pre-Auth Session Minting:** The script connects to public login endpoints (e.g., `/login/` or `/cgi/login.cgi`) to acquire a baseline, unauthenticated session cookie (`whostmgrsession`).
2. **CRLF Injection:** It then sends a crafted Basic Authentication header containing a Base64-encoded payload. This payload utilizes CRLF injection to insert root session fields directly into the `cpsrvd` session cache. The server's redirect response leaks the newly generated security token (`cpsess`).
3. **Session Propagation:** The raw session cookie is sent to an authenticated WHM endpoint. This triggers `do_token_denied`, which propagates the forged, injected session into the daemon cache, effectively making it a valid authenticated session.
4. **Verification:** Finally, the script attempts to access restricted WHM API endpoints (like `/json-api/version`) using the forged session to verify that root-level access has been successfully achieved.
## Script Usage
The script provides various features to demonstrate the impact of the vulnerability once bypassed.
### Prerequisites
- Python 3.x
- `requests` library
- `colorama` library (optional, for colored terminal output)
You can install the required dependencies using:
```bash
pip install requests colorama
```
### Command-Line Arguments
* `--target URL`: The target WHM URL (e.g., `https://target:2087`) (Required)
* `--shell`: Drops into an interactive, minimal WHM API shell.
* `--exec CMD`: Executes an OS-level command via the WHM API.
* `--dump`: Dumps server information including version, accounts, and privileges.
* `--api FUNC`: Calls a specific WHM JSON-API function.
* `--password PASS`: Attempts to change the root password.
* `--add-user USER PASS DOMAIN`: Creates a new cPanel account.
* `--revshell LHOST LPORT`: Sends a reverse shell to a specified listener.
* `--no-verify`: Skips the verification stage and proceeds even if probes return 403.
* `--output FILE`: Saves the session token and details to a JSON file for later reuse.
### Example Commands
**Verify the vulnerability and drop into an interactive shell:**
```bash
python exploit.py --target https://target:2087 --shell
```
**Dump server information:**
```bash
python exploit.py --target https://target:2087 --dump
```
**Execute a specific command:**
```bash
python exploit.py --target https://target:2087 --exec "id"
```
## Remediation and Mitigation
Administrators running affected versions of cPanel/WHM should immediately apply the latest security patches provided by cPanel.
Additionally, consider implementing the following defense-in-depth measures:
- **Network Segmentation:** Restrict access to WHM administration ports (2086/2087) using firewalls or IP allowlisting, ensuring only trusted administrative IP addresses can reach the interface.
- **Monitoring:** Implement robust monitoring and alerting for anomalous API usage, unexpected configuration changes, or unusual authentication patterns.