Lyrie
Streams
CVE Deep DivesActive ExploitationResearchBreachesLyrie OriginalsAI Threats
SearchMethodology
Get Lyrie →
CVE-Deep-Dive Deep-Dive
0 sources verified·10 min read
By Lyrie Cyber Research Division·5/6/2026

The Hosting Panel That Opened the Server Room Door: CVE-2026-41940 cPanel Auth Bypass, 1.5M Targets, and Southeast Asian State Espionage

TL;DR

CVE-2026-41940 is a pre-authentication remote authentication bypass in cPanel & WHM (CVSS 9.8) that chains three independently exploitable weaknesses — a missing CRLF sanitizer on the HTTP Basic-auth path, a silent encryption skip triggered by a truncated cookie, and a two-file session model that promotes injected values to privileged keys. Result: any attacker who can reach port 2083/2087 can forge a user=root session and own the entire hosting stack without credentials. With ~1.5 million instances exposed on the public internet and public PoCs released within one day of disclosure, mass exploitation was inevitable. CISA added it to the Known Exploited Vulnerabilities (KEV) catalog. Shadowserver counted 44,000 compromised IPs conducting downstream scanning within days of disclosure. A previously unattributed threat actor has now been caught using the bug in targeted espionage operations against Philippine and Laotian military and government networks, with lateral movement tooling (AdaptixC2, Ligolo, OpenVPN) deployed post-compromise. Emergency patch to the fixed branch versions listed below. Rotate all cPanel and WHM credentials immediately.

Background

cPanel is the de facto standard web hosting control panel for shared and managed hosting. The cPanel user interface (ports 2082/2083) handles per-account management; WHM (ports 2086/2087) is the root-level administrative panel used by the hosting provider. WP Squared is cPanel's managed WordPress product. All three are served by cpsrvd, a long-running Perl daemon that has been the core of cPanel's architecture for over two decades.

The scale is extraordinary. Shodan queries for cPanel's favicon hash return approximately 1.5 million exposed instances. These systems collectively host tens of millions of websites globally, spanning shared hosting consumers, MSPs, government agencies using outsourced infrastructure, and enterprise web properties.

Vulnerability research firm watchTowr Labs first disclosed CVE-2026-41940 in full technical detail on April 29, 2026, one day after cPanel issued an emergency security update (April 28, 2026). The vendor's own release notes described it obliquely as "an issue with session loading and saving." That understatement belies what is, in practice, a complete authentication bypass for the management plane of millions of production servers.

Evidence from managed hosting provider KnownHost and Reddit discussions suggests that zero-day exploitation may have begun as early as February 23, 2026 — roughly two months before the public patch. The vulnerability was silently exploited against production infrastructure while cPanel's update mechanisms were unaware of the threat.

Technical Analysis: Three Weaknesses, One Complete Bypass

The elegance — and danger — of CVE-2026-41940 is that it is not a single programming mistake. It is three independently reasonable implementation decisions that chain together catastrophically.

Weakness 1: The Sanitizer That Wasn't Called

cpsrvd already had a proper sanitization helper for session values. The helper strips \r, \n, and = characters before any data reaches the session file on disk. The problem: it was the caller's responsibility to invoke the helper, not a mandatory gate in the write path. The HTTP Basic-auth handler — the code path that processes credentials arriving directly in the Authorization header — did not call the sanitizer. Every other code path remembered to call it. This one did not.

This is CWE-93 (Improper Neutralization of CRLF Sequences) in a textbook form: a "defense at the source" model that trusted every caller to self-enforce, then failed the moment a new or overlooked caller was introduced.

Weakness 2: The Encryption Skip

When cpsrvd writes a session file, it encrypts the password-related fields using a per-session secret that is embedded in the session cookie the client presents. If that secret is absent from the client's cookie, the original code silently skipped the encryption step instead of aborting the operation.

An attacker who intentionally sends a truncated cookie — one missing the encryption secret segment — causes the session daemon to write their attacker-controlled payload to disk in plaintext, bypassing the layer of protection that would otherwise render injected values useless.

Weakness 3: The Two-File Session Promotion

cPanel sessions exist in two forms simultaneously:

  • A line-oriented raw file on disk, where each line is key=value
  • A JSON cache file, derived from the raw file

When the session loader reads the JSON cache, injected \r\n sequences from the attacker appear as harmless escape characters inside a single large JSON string value — the injection is invisible and inert at this stage.

The trigger is a separate code path: the "token denied" handler, which fires when authentication has been rejected. This handler re-parses the raw file and rewrites the JSON cache, promoting the injected lines into top-level JSON keys that the session loader will subsequently treat as trusted session attributes.

The attack sequence is therefore:

1. Send HTTP request with Authorization: Basic header containing raw \r\nuser=root\r\nlogin_method=plain\r\npassword_already_checked=1 payload (encoded appropriately)

2. Send a truncated whostmgrsession cookie to trigger the encryption skip

3. Receive an initial "token denied" response (expected)

4. The "token denied" handler re-parses the raw session file, promoting injected keys to the JSON cache

5. On the next request with the same session token, the loader reads user=root and password_already_checked=1 from the JSON cache

6. Full administrative WHM access granted — no credentials, no brute force, no social engineering

The exploit chain was independently validated by Rapid7, Picus Security, and multiple bug bounty researchers within hours of watchTowr's disclosure. Two public PoCs are now available on GitHub: watchTowr's watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py and cPanel-WHM-AuthBypass-Session-Checker.

Active Exploitation: From Mass Scanning to State-Level Espionage

Phase 1: Mass Scanning (Days 1–4)

The Shadowserver Foundation's honeypot telemetry documented the initial explosion:

  • April 30, 2026: Peak of ~44,000 IP addresses previously compromised via CVE-2026-41940 engaging in outbound scanning and credential brute-force attacks against Shadowserver's sensor network
  • May 3, 2026: Activity dropped to ~3,540 unique IPs — either defender response, burnout of accessible targets, or threat actors going quiet post-initial access

Censys confirmed that multiple independent threat actors began weaponizing the vulnerability within 24 hours of public PoC release, deploying:

  • Mirai botnet variants — converting compromised hosting servers into DDoS cannon nodes
  • "Sorry" ransomware — encrypting site content and web databases and demanding payment, with some reports of entire hosting accounts wiped including backups

Phase 2: Targeted State-Sponsored Exploitation

Ctrl-Alt-Intel's May 2, 2026 detection of a threat actor's exposed staging server yielded exceptional visibility into a more surgical campaign running parallel to the mass scanning activity.

Targeting profile:

  • Primary: .mil.ph (Philippine military) and .ph government domains
  • Secondary: *.gov.la (Laotian government domains)
  • Tertiary: MSPs and hosting providers in the Philippines, Laos, Canada, South Africa, and the United States

Pre-existing access:

Before pivoting to cPanel attacks, the same actor had already compromised an Indonesian defense sector training portal through a separate bespoke exploit chain: authenticated SQL injection combined with RCE via a document-management function. The attacker's script hard-coded credentials and defeated the portal's CAPTCHA by reading the expected value directly from the server-issued session cookie — indicating prior reconnaissance and credential theft against this target.

Post-exploitation tooling:

  • AdaptixC2 — an open-source adversarial C2 framework (also observed in Tropic Trooper campaigns) used to maintain interactive control of compromised endpoints
  • Ligolo — a tunneling tool enabling reverse proxy access for lateral movement into internal networks
  • OpenVPN + systemd persistence — durable access layer surviving reboots, allowing re-entry even after surface-level remediation

Exfiltration:

Ctrl-Alt-Intel confirmed the actor exfiltrated "a substantial corpus of Chinese railway-sector documents" from internal networks accessed via the compromised hosting infrastructure — a data type consistent with industrial and defense intelligence collection rather than ransomware or financially-motivated espionage.

The threat actor's identity has not been publicly attributed. The targeting pattern, data interests, and tooling are consistent with multiple state-aligned APT clusters operating in Southeast Asia, but no definitive attribution has been published as of this writing.

Indicators of Compromise (IOCs)

| Type | Value | Source |

|------|-------|--------|

| IP | 95.111.250[.]175 | Ctrl-Alt-Intel (attacker staging) |

| Tool | AdaptixC2 C2 framework | Post-exploitation |

| Tool | Ligolo tunnel (pivot) | Post-exploitation |

| Tool | OpenVPN + systemd service | Persistence |

| PoC | github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py | Public |

| PoC | github.com/debugactiveprocess/cPanel-WHM-AuthBypass-Session-Checker | Public |

| Session file artefact | Lines containing user=root, login_method=plain, or password_already_checked=1 in raw cPanel session files under /var/cpanel/sessions/ | Host |

| Network | Anomalous outbound traffic on ports 1194 (OpenVPN), 11601 (Ligolo default) | Network |

Check cPanel session files for injection artefacts:

grep -r "user=root\|password_already_checked" /var/cpanel/sessions/ 2>/dev/null

Review WHM access logs for unauthenticated admin sessions:

grep -i "403\|401\|root" /usr/local/cpanel/logs/access_log | grep -v "authenticated"

Lyrie Take

CVE-2026-41940 is a canonical example of infrastructure trust assumption failure — a class of vulnerability that disproportionately impacts the security ecosystem because every server running compromised hosting software is, by definition, hosting other people's applications and data.

The "three weaknesses line up end-to-end" bug pattern is a significant signal: this is not a code defect from a single careless engineer. It is a systemic design failure in how session integrity was modeled across the lifetime of a large, evolving Perl codebase. The sanitizer was decentralized (caller responsibility rather than enforced at write time), the encryption was designed to silently downgrade rather than fail safely, and the two-file session model introduced an implicit trust boundary that was never formally documented as a security perimeter.

The two-month zero-day exploitation window is alarming and consistent with what Lyrie research observes increasingly in high-value infrastructure CVEs: disclosure timelines that trail actual exploitation by weeks to months, enabling pre-patch access to be established against targets that will still be running unpatched software when the CVE goes public.

The Southeast Asia targeting profile aligns with escalating operational patterns in the South China Sea geopolitical corridor: Philippine and Laotian military networks, combined with MSP targeting that enables horizontal access to hundreds of downstream customers through a single hosting provider compromise. The extraction of Chinese railway-sector documents via Indo-Pacific defense portal pivots suggests a capable actor consolidating multi-vector access across the same geopolitical theater.

For web hosting companies, MSPs, and any organization running self-managed cPanel infrastructure: this is the vulnerability that validates every "emergency patch" conversation you've ever had. The combination of 1.5 million exposed instances, CVSS 9.8, public PoC within 24 hours, and confirmed CISA KEV status is as loud as critical vulnerability alarms get.

Defender Playbook

Immediate Actions (Do These Now)

1. Identify vulnerable instances

# Check your cPanel version
cat /usr/local/cpanel/version
# Or via WHM: Home → Server Information → cPanel Build Number

2. Patch to a fixed version — highest priority, emergency SLA

| Branch | Patched Version |

|--------|----------------|

| 11.110.0.x | 11.110.0.97 |

| 11.118.0.x | 11.118.0.63 |

| 11.126.0.x | 11.126.0.54 |

| 11.132.0.x | 11.132.0.29 |

| 11.134.0.x | 11.134.0.20 |

| 11.136.0.x | 11.136.0.5 |

| WP Squared | 11.136.1.7 |

/scripts/upcp --force    # Force immediate update
/scripts/restartsrv_cpsrvd   # Required restart after patch

3. Triage session files for injection artefacts

Compromised sessions may be present even on patched systems if the attack occurred pre-patch:

grep -rl "user=root\|password_already_checked\|login_method=plain" /var/cpanel/sessions/

4. Rotate all administrative credentials

  • WHM root password
  • All reseller passwords
  • All cPanel account passwords (especially for government, MSP, or high-value accounts)
  • SSH keys accessible via compromised panel

5. Firewall ports 2083/2086/2087 to trusted IPs

WHM (port 2087) in particular should never be accessible from the public internet unless explicitly required:

# Example: restrict WHM to admin IP only
iptables -I INPUT -p tcp --dport 2087 -s YOUR.ADMIN.IP -j ACCEPT
iptables -I INPUT -p tcp --dport 2087 -j DROP

6. Scan with the cPanel detection script

cPanel has released an updated detection script to identify compromised hosts:

https://support.cpanel.net/hc/en-us/articles/40073787579671

7. Enable Two-Factor Authentication on all WHM/cPanel logins

Post-bypass, 2FA on session establishment would not prevent exploitation of CVE-2026-41940 itself, but hardens against secondary credential compromise and account takeover post-remediation.

Ongoing Detection

  • Monitor for anomalous systemd service creation — persistent OpenVPN-based backdoors create new systemd units
  • Alert on Ligolo process execution (check for ligolo-ng or agent binaries in /tmp, /dev/shm, or unusual paths)
  • Network monitor for AdaptixC2 beacon signatures — default C2 uses HTTPS on non-standard ports; watch for periodic outbound connections to newly-registered domains
  • Log shipping from cPanel access and error logs to SIEM with alerting on unauthenticated root session tokens

Sources

1. watchTowr Labs — "The Internet Is Falling Down: CVE-2026-41940 Technical Analysis" — labs.watchtowr.com

2. Rapid7 ETR — CVE-2026-41940 cPanel & WHM Authentication Bypass — rapid7.com

3. Picus Security — "CVE-2026-41940 Explained: The 1.5M Server Auth Bypass" — picussecurity.com

4. The Hacker News — "Critical cPanel Vulnerability Weaponized to Target Government and MSP Networks" — thehackernews.com

5. Security Affairs — "Hackers target governments and MSPs via critical cPanel flaw" — securityaffairs.com

6. Ctrl-Alt-Intel — SEA cPanel Campaign Research — ctrlaltintel.com

7. Shadowserver Foundation — Honeypot telemetry dashboard, May 2026

8. CISA KEV Catalog — CVE-2026-41940 entry — cisa.gov

9. cPanel Security Advisory — April 28, 2026 — support.cpanel.net

10. Censys Blog — "The cPanel Situation Is..." — censys.com

Lyrie.ai Cyber Research Division — Senior Analyst Desk

Lyrie Verdict

Lyrie's autonomous defense layer flags this class of exposure the moment it surfaces — no signature update required.

#cPanel#WHM#CVE-2026-41940#authentication-bypass#CRLF-injection#hosting-security#SEA-espionage#KEV

Related Articles

originals
Pattern alert: 11 recent advisories converge on arxiv-cs-cr
1 min read · 5 sources
originals
Pattern alert: 11 recent advisories converge on arxiv-cs-cr
1 min read · 5 sources
originals
CVE-2026-35414: OpenSSH Authentication Bypass — Lyrie's Autonomous Response Protocol in Production
9 min read · 3 sources