Share
## https://sploitus.com/exploit?id=AD23DFC2-DC02-55EC-8817-4F88A42E20AC
# cpanel-cve-2026-41940-fix

> One-shot detection and remediation for cPanel/WHM servers compromised via **CVE-2026-41940** and the **`nuclear.x86`** botnet campaign.

[![Bash](https://img.shields.io/badge/bash-5.0%2B-green.svg)]()
[![License](https://img.shields.io/badge/license-MIT-blue.svg)](#license)
[![CVE](https://img.shields.io/badge/CVE--2026--41940-CVSS%209.8-red.svg)](https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026)
[![Status](https://img.shields.io/badge/exploitation-active%20in%20the%20wild-red.svg)]()

---

## What this is

On **28 April 2026**, cPanel disclosed a **pre-authentication** authentication-bypass vulnerability (CVE-2026-41940, CVSS 9.8) affecting **all supported cPanel & WHM versions after 11.40**. A single HTTP request to port 2087 lets an unauthenticated attacker inject a `user=root` session and walk straight into WHM.

Exploitation has been seen in the wild **since at least 23 February 2026** โ€” six weeks before the patch dropped. The campaign we've cleaned up on multiple servers drops a Linux botnet called **`nuclear.x86`** along with an XMRig-based crypto-miner.

This repo contains a single Bash script that:

* Detects whether your server is **vulnerable** (cPanel build check)
* Detects whether your server is **already compromised** (11 IOC checks)
* **Remediates** safely โ€” kills malware, blocks C2 IPs, purges forged sessions, restarts cpsrvd
* **Patches** cPanel/WHM via `/scripts/upcp --force`
* Generates a forensics report and preserves evidence

It is designed for **hosting providers, sysadmins, and cPanel resellers** who need to triage a fleet quickly.

---

## โš ๏ธ Before you run anything

If `wget` or `curl` return **`Killed`** when you try to download things, **the malware is still running** โ€” `nuclear.x86` actively kills download tools to prevent cleanup. Run the kill-step first (the script does this for you in `--fix` mode).

If you can't download this script because of that, copy-paste it via SSH from your laptop, or use `scp`.

---

## Installation

```bash
# As root, on the cPanel server:
cd /root
wget https://raw.githubusercontent.com/shahidmallaofficial/cpanel-cve-2026-41940-fix/main/fix-cpanel-cve-2026-41940.sh
chmod +x fix-cpanel-cve-2026-41940.sh
```

Or with `curl`:

```bash
cd /root
curl -fsSLO https://raw.githubusercontent.com/shahidmallaofficial/cpanel-cve-2026-41940-fix/main/fix-cpanel-cve-2026-41940.sh
chmod +x fix-cpanel-cve-2026-41940.sh
```

**One-liner** (review the script first, then run):

```bash
cd /root && \
curl -fsSLO https://raw.githubusercontent.com/shahidmallaofficial/cpanel-cve-2026-41940-fix/main/fix-cpanel-cve-2026-41940.sh && \
chmod +x fix-cpanel-cve-2026-41940.sh && \
less fix-cpanel-cve-2026-41940.sh
# After reviewing, run it:
./fix-cpanel-cve-2026-41940.sh
```

> **Verify before running.** This script runs as root and modifies system state. Open it and read it first. Do not pipe random scripts from the internet directly into `bash`.

---

## Usage

### Three modes

```bash
# 1. Scan only (default, no changes โ€” always safe to run)
./fix-cpanel-cve-2026-41940.sh

# 2. Scan + remediate, with a confirmation prompt for each destructive action
./fix-cpanel-cve-2026-41940.sh --fix

# 3. Full auto: fix + cPanel update + cache clear + light hardening
./fix-cpanel-cve-2026-41940.sh --auto

# 4. Unattended (no prompts โ€” for cron, jump-boxes, fleet scripts)
./fix-cpanel-cve-2026-41940.sh --auto -y

# 5. Help
./fix-cpanel-cve-2026-41940.sh --help
```

### Exit codes

| Code | Meaning |
|------|---------|
| `0`  | Clean โ€” no IOCs detected |
| `2`  | Compromise indicators detected (review the report) |
| `1` / other | Pre-flight failure (not root, not a cPanel server, etc.) |

### Output locations

* **Log:** `/var/log/cpanel-cve-fix/scan-.log`
* **Report:** `/var/log/cpanel-cve-fix/report-.txt`
* **Evidence backup:** `/root/cve-cleanup-backup-/`

---

## What it checks (scan phase)

| # | Check | What it catches |
|---|-------|-----------------|
| 1 | cPanel build vs patched releases | Vulnerable hosts (lists all 6 patched builds) |
| 2 | Running processes | `nuclear.x86`, `xmrig`, `cpuminer`, `minerd`, `xmr-stak`, `4thepool_miner` |
| 3 | Active network connections | The three known C2 IPs + mining-pool ports |
| 4 | Shell history files | IOC commands in `bash_history` / `zsh_history` |
| 5 | Firewall sanity | The `iptables -F` sabotage step |
| 6 | cPanel session raw dir | Forged `user=root` session files |
| 7 | `/tmp`, `/var/tmp`, `/dev/shm` | Recently dropped executables |
| 8 | Cron entries | Persistence (system + per-user) |
| 9 | `authorized_keys` files | New SSH keys โ€” read-only audit |
| 10 | cPanel access logs | `Go-http-client` / `python-requests` exploit signatures |
| 11 | Critical binaries | Tampered `wget` / `curl` / `ls` / `ps` (mtime + RPM verify) |

## What it does (fix / auto phase)

* **Kills** known malware processes (after snapshotting PID, cmdline, exe path)
* **Blocks** known C2 IPs in CSF if present, otherwise iptables (and persists rules)
* **Purges** `/var/cpanel/sessions/raw/*` (with tar.gz backup first)
* **Restarts** `cpsrvd`, `cpdavd`, `cphulkd`, `queueprocd`, `dnsadmin`
* **Patches** cPanel via `/scripts/upcp --force` (only in `--auto`)
* **Clears** package-manager caches, BIND DNS cache (`rndc flush`), old journal logs
* **Hardens** by enabling CSF `LF_INTEGRITY` if available

## What it deliberately does NOT do

These would do more harm than good when run unattended over SSH, so they go in the manual-action report instead:

* โŒ Rotate SSH keys (would lock you out of the very box you're running it on)
* โŒ Rotate cPanel / MySQL / email passwords (script can't update all the dependent configs)
* โŒ Restore data from backup (only you know your last-known-good restore point)
* โŒ Delete arbitrary files in `/home/*/public_html`
* โŒ Mass-delete cron entries

---

## Fleet usage

For sweeping many servers from a jump-box:

```bash
mkdir -p reports
while read -r host; do
    echo "=== $host ==="
    scp fix-cpanel-cve-2026-41940.sh "root@${host}:/root/" >/dev/null
    ssh "root@${host}" '/root/fix-cpanel-cve-2026-41940.sh --auto -y'
    scp "root@${host}:/var/log/cpanel-cve-fix/report-*.txt" "reports/${host}.txt" 2>/dev/null
done < servers.txt
```

Then grep the reports:

```bash
grep -l "COMPROMISE INDICATORS PRESENT" reports/*
```

---

## Manual actions you must still take after running the script

The script will list these in its report. **None of them can be safely automated.**

1. Rotate **every local Linux password** (the attacker has `/etc/shadow`)
2. Rotate **cPanel + reseller passwords** from WHM
3. Rotate **every MySQL/database password** and update `wp-config.php`, `.env`, `config.php`, etc.
4. Rotate **every email account password**
5. Rotate **every API token** (cPanel, WHM, third-party)
6. Regenerate **SSH keys** for root and any IT user โ€” and remove the old public key from GitHub / GitLab / Bitbucket / CI / deployment targets
7. Audit `/home/*/public_html` for **web-shells** (recently modified `.php` files)
8. Audit cPanel **email forwarders / FTP accounts / cron jobs** for backdoors
9. Restore data from a backup taken **before the first IOC timestamp** (industry-wide that's around 23 Feb 2026)
10. Tell affected customers to rotate their cPanel password **everywhere else they reused it**

---

## Patched cPanel / WHM versions

You need to be at or above one of these builds:

| Track   | Patched build   |
|---------|-----------------|
| 110.0.x | `11.110.0.97`   |
| 118.0.x | `11.118.0.63`   |
| 126.0.x | `11.126.0.54`   |
| 132.0.x | `11.132.0.29`   |
| 134.0.x | `11.134.0.20`   |
| 136.0.x | `11.136.0.5`    |
| WPยฒ     | `11.136.1.7`    |

Check yours with `/usr/local/cpanel/cpanel -V`.

---

## Indicators of compromise (IOCs)

| Type | Indicator |
|------|-----------|
| IP | `87.121.84.78` (nuclear.x86 drop) |
| IP | `45.148.120.23` (nuclear.x86 alt drop) |
| IP | `31.57.109.131` (miner script) |
| File | `nuclear.x86` (Mirai-derivative ELF) |
| Process | `nuclear.x86 xd` |
| Script | `4thepool_miner.sh` |
| User-Agent | `Go-http-client/1.1` hitting port 2087 |
| User-Agent | `python-requests/*` hitting port 2087 |
| Pattern | New file in `/var/cpanel/sessions/raw/` containing `user=root` without matching successful login in `login_log` |
| Pattern | Empty / flushed `iptables` ruleset |

---

## FAQ

**Is it safe to run on a healthy server?**
Yes. Default mode is scan-only and makes no changes. The fix and auto modes are idempotent.

**Will it cause downtime?**
`--fix` causes a brief WHM/cPanel interruption when it restarts `cpsrvd` (~10 seconds). `--auto` runs `/scripts/upcp --force` which can take 10โ€“30 minutes โ€” websites stay up during this, but WHM is briefly unavailable at the end.

**My cPanel version isn't in the patched list โ€” am I safe?**
If you're on a track older than 110.0.x, you're on an end-of-life version. cPanel will not ship a patch. **Treat the host as compromised** until proven otherwise and upgrade urgently.

**The script says `Killed` when it tries to do anything.**
That's `nuclear.x86` actively killing your tools. Run the kill step manually first:
```bash
pkill -9 -f nuclear.x86
```
Then re-run the script.

**Does this work on AlmaLinux / Rocky / CloudLinux / CentOS?**
Yes โ€” all standard cPanel platforms. Tested on AlmaLinux 8, Rocky 9, CloudLinux 7+.

**Will it touch my customer websites?**
No. The script does not modify anything in `/home/*/public_html`. It only touches OS-level config, cPanel sessions, firewall rules, and known-bad processes.

---

## Contributing

PRs welcome โ€” particularly for:

* Additional IOCs (new C2 IPs, new malware names) seen in the wild
* OS-specific hardening tweaks
* Translations of the report output

Please don't add anything that auto-rotates credentials or deletes user data โ€” keeping the destructive surface narrow is intentional.

---

## License

MIT. Use it, fork it, integrate it into your own tooling. Attribution appreciated but not required.

---

## Credits

Built by **[WHMCSPilot.com](https://whmcspilot.com)** โ€” `SM`.

Vulnerability research credit: cPanel security team, watchTowr Labs, Rapid7, KnownHost, and the broader hosting community who shared IOCs as the campaign unfolded.

---

## Disclaimer

This script is provided as-is, without warranty. It is a **first-response triage tool** โ€” not a substitute for a full incident-response engagement. If you handle PII, payment data, or other regulated data, consult your DPO and a qualified IR firm before declaring a compromised box clean.

If a server has been actively compromised, **the safest path is always to rebuild from a known-good backup, not to clean in place.**