## https://sploitus.com/exploit?id=AD23DFC2-DC02-55EC-8817-4F88A42E20AC
# cpanel-cve-2026-41940-fix
> One-shot detection and remediation for cPanel/WHM servers compromised via **CVE-2026-41940** and the **`nuclear.x86`** botnet campaign.
[]()
[](#license)
[](https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026)
[]()
---
## What this is
On **28 April 2026**, cPanel disclosed a **pre-authentication** authentication-bypass vulnerability (CVE-2026-41940, CVSS 9.8) affecting **all supported cPanel & WHM versions after 11.40**. A single HTTP request to port 2087 lets an unauthenticated attacker inject a `user=root` session and walk straight into WHM.
Exploitation has been seen in the wild **since at least 23 February 2026** โ six weeks before the patch dropped. The campaign we've cleaned up on multiple servers drops a Linux botnet called **`nuclear.x86`** along with an XMRig-based crypto-miner.
This repo contains a single Bash script that:
* Detects whether your server is **vulnerable** (cPanel build check)
* Detects whether your server is **already compromised** (11 IOC checks)
* **Remediates** safely โ kills malware, blocks C2 IPs, purges forged sessions, restarts cpsrvd
* **Patches** cPanel/WHM via `/scripts/upcp --force`
* Generates a forensics report and preserves evidence
It is designed for **hosting providers, sysadmins, and cPanel resellers** who need to triage a fleet quickly.
---
## โ ๏ธ Before you run anything
If `wget` or `curl` return **`Killed`** when you try to download things, **the malware is still running** โ `nuclear.x86` actively kills download tools to prevent cleanup. Run the kill-step first (the script does this for you in `--fix` mode).
If you can't download this script because of that, copy-paste it via SSH from your laptop, or use `scp`.
---
## Installation
```bash
# As root, on the cPanel server:
cd /root
wget https://raw.githubusercontent.com/shahidmallaofficial/cpanel-cve-2026-41940-fix/main/fix-cpanel-cve-2026-41940.sh
chmod +x fix-cpanel-cve-2026-41940.sh
```
Or with `curl`:
```bash
cd /root
curl -fsSLO https://raw.githubusercontent.com/shahidmallaofficial/cpanel-cve-2026-41940-fix/main/fix-cpanel-cve-2026-41940.sh
chmod +x fix-cpanel-cve-2026-41940.sh
```
**One-liner** (review the script first, then run):
```bash
cd /root && \
curl -fsSLO https://raw.githubusercontent.com/shahidmallaofficial/cpanel-cve-2026-41940-fix/main/fix-cpanel-cve-2026-41940.sh && \
chmod +x fix-cpanel-cve-2026-41940.sh && \
less fix-cpanel-cve-2026-41940.sh
# After reviewing, run it:
./fix-cpanel-cve-2026-41940.sh
```
> **Verify before running.** This script runs as root and modifies system state. Open it and read it first. Do not pipe random scripts from the internet directly into `bash`.
---
## Usage
### Three modes
```bash
# 1. Scan only (default, no changes โ always safe to run)
./fix-cpanel-cve-2026-41940.sh
# 2. Scan + remediate, with a confirmation prompt for each destructive action
./fix-cpanel-cve-2026-41940.sh --fix
# 3. Full auto: fix + cPanel update + cache clear + light hardening
./fix-cpanel-cve-2026-41940.sh --auto
# 4. Unattended (no prompts โ for cron, jump-boxes, fleet scripts)
./fix-cpanel-cve-2026-41940.sh --auto -y
# 5. Help
./fix-cpanel-cve-2026-41940.sh --help
```
### Exit codes
| Code | Meaning |
|------|---------|
| `0` | Clean โ no IOCs detected |
| `2` | Compromise indicators detected (review the report) |
| `1` / other | Pre-flight failure (not root, not a cPanel server, etc.) |
### Output locations
* **Log:** `/var/log/cpanel-cve-fix/scan-.log`
* **Report:** `/var/log/cpanel-cve-fix/report-.txt`
* **Evidence backup:** `/root/cve-cleanup-backup-/`
---
## What it checks (scan phase)
| # | Check | What it catches |
|---|-------|-----------------|
| 1 | cPanel build vs patched releases | Vulnerable hosts (lists all 6 patched builds) |
| 2 | Running processes | `nuclear.x86`, `xmrig`, `cpuminer`, `minerd`, `xmr-stak`, `4thepool_miner` |
| 3 | Active network connections | The three known C2 IPs + mining-pool ports |
| 4 | Shell history files | IOC commands in `bash_history` / `zsh_history` |
| 5 | Firewall sanity | The `iptables -F` sabotage step |
| 6 | cPanel session raw dir | Forged `user=root` session files |
| 7 | `/tmp`, `/var/tmp`, `/dev/shm` | Recently dropped executables |
| 8 | Cron entries | Persistence (system + per-user) |
| 9 | `authorized_keys` files | New SSH keys โ read-only audit |
| 10 | cPanel access logs | `Go-http-client` / `python-requests` exploit signatures |
| 11 | Critical binaries | Tampered `wget` / `curl` / `ls` / `ps` (mtime + RPM verify) |
## What it does (fix / auto phase)
* **Kills** known malware processes (after snapshotting PID, cmdline, exe path)
* **Blocks** known C2 IPs in CSF if present, otherwise iptables (and persists rules)
* **Purges** `/var/cpanel/sessions/raw/*` (with tar.gz backup first)
* **Restarts** `cpsrvd`, `cpdavd`, `cphulkd`, `queueprocd`, `dnsadmin`
* **Patches** cPanel via `/scripts/upcp --force` (only in `--auto`)
* **Clears** package-manager caches, BIND DNS cache (`rndc flush`), old journal logs
* **Hardens** by enabling CSF `LF_INTEGRITY` if available
## What it deliberately does NOT do
These would do more harm than good when run unattended over SSH, so they go in the manual-action report instead:
* โ Rotate SSH keys (would lock you out of the very box you're running it on)
* โ Rotate cPanel / MySQL / email passwords (script can't update all the dependent configs)
* โ Restore data from backup (only you know your last-known-good restore point)
* โ Delete arbitrary files in `/home/*/public_html`
* โ Mass-delete cron entries
---
## Fleet usage
For sweeping many servers from a jump-box:
```bash
mkdir -p reports
while read -r host; do
echo "=== $host ==="
scp fix-cpanel-cve-2026-41940.sh "root@${host}:/root/" >/dev/null
ssh "root@${host}" '/root/fix-cpanel-cve-2026-41940.sh --auto -y'
scp "root@${host}:/var/log/cpanel-cve-fix/report-*.txt" "reports/${host}.txt" 2>/dev/null
done < servers.txt
```
Then grep the reports:
```bash
grep -l "COMPROMISE INDICATORS PRESENT" reports/*
```
---
## Manual actions you must still take after running the script
The script will list these in its report. **None of them can be safely automated.**
1. Rotate **every local Linux password** (the attacker has `/etc/shadow`)
2. Rotate **cPanel + reseller passwords** from WHM
3. Rotate **every MySQL/database password** and update `wp-config.php`, `.env`, `config.php`, etc.
4. Rotate **every email account password**
5. Rotate **every API token** (cPanel, WHM, third-party)
6. Regenerate **SSH keys** for root and any IT user โ and remove the old public key from GitHub / GitLab / Bitbucket / CI / deployment targets
7. Audit `/home/*/public_html` for **web-shells** (recently modified `.php` files)
8. Audit cPanel **email forwarders / FTP accounts / cron jobs** for backdoors
9. Restore data from a backup taken **before the first IOC timestamp** (industry-wide that's around 23 Feb 2026)
10. Tell affected customers to rotate their cPanel password **everywhere else they reused it**
---
## Patched cPanel / WHM versions
You need to be at or above one of these builds:
| Track | Patched build |
|---------|-----------------|
| 110.0.x | `11.110.0.97` |
| 118.0.x | `11.118.0.63` |
| 126.0.x | `11.126.0.54` |
| 132.0.x | `11.132.0.29` |
| 134.0.x | `11.134.0.20` |
| 136.0.x | `11.136.0.5` |
| WPยฒ | `11.136.1.7` |
Check yours with `/usr/local/cpanel/cpanel -V`.
---
## Indicators of compromise (IOCs)
| Type | Indicator |
|------|-----------|
| IP | `87.121.84.78` (nuclear.x86 drop) |
| IP | `45.148.120.23` (nuclear.x86 alt drop) |
| IP | `31.57.109.131` (miner script) |
| File | `nuclear.x86` (Mirai-derivative ELF) |
| Process | `nuclear.x86 xd` |
| Script | `4thepool_miner.sh` |
| User-Agent | `Go-http-client/1.1` hitting port 2087 |
| User-Agent | `python-requests/*` hitting port 2087 |
| Pattern | New file in `/var/cpanel/sessions/raw/` containing `user=root` without matching successful login in `login_log` |
| Pattern | Empty / flushed `iptables` ruleset |
---
## FAQ
**Is it safe to run on a healthy server?**
Yes. Default mode is scan-only and makes no changes. The fix and auto modes are idempotent.
**Will it cause downtime?**
`--fix` causes a brief WHM/cPanel interruption when it restarts `cpsrvd` (~10 seconds). `--auto` runs `/scripts/upcp --force` which can take 10โ30 minutes โ websites stay up during this, but WHM is briefly unavailable at the end.
**My cPanel version isn't in the patched list โ am I safe?**
If you're on a track older than 110.0.x, you're on an end-of-life version. cPanel will not ship a patch. **Treat the host as compromised** until proven otherwise and upgrade urgently.
**The script says `Killed` when it tries to do anything.**
That's `nuclear.x86` actively killing your tools. Run the kill step manually first:
```bash
pkill -9 -f nuclear.x86
```
Then re-run the script.
**Does this work on AlmaLinux / Rocky / CloudLinux / CentOS?**
Yes โ all standard cPanel platforms. Tested on AlmaLinux 8, Rocky 9, CloudLinux 7+.
**Will it touch my customer websites?**
No. The script does not modify anything in `/home/*/public_html`. It only touches OS-level config, cPanel sessions, firewall rules, and known-bad processes.
---
## Contributing
PRs welcome โ particularly for:
* Additional IOCs (new C2 IPs, new malware names) seen in the wild
* OS-specific hardening tweaks
* Translations of the report output
Please don't add anything that auto-rotates credentials or deletes user data โ keeping the destructive surface narrow is intentional.
---
## License
MIT. Use it, fork it, integrate it into your own tooling. Attribution appreciated but not required.
---
## Credits
Built by **[WHMCSPilot.com](https://whmcspilot.com)** โ `SM`.
Vulnerability research credit: cPanel security team, watchTowr Labs, Rapid7, KnownHost, and the broader hosting community who shared IOCs as the campaign unfolded.
---
## Disclaimer
This script is provided as-is, without warranty. It is a **first-response triage tool** โ not a substitute for a full incident-response engagement. If you handle PII, payment data, or other regulated data, consult your DPO and a qualified IR firm before declaring a compromised box clean.
If a server has been actively compromised, **the safest path is always to rebuild from a known-good backup, not to clean in place.**