A newly disclosed proof-of-concept exploit, named ‘cPanelSniper’, has revealed a severe vulnerability in cPanel & WHM, identified as CVE-2026-41940. This critical flaw, affecting over 44,000 servers globally, has been actively exploited since late February 2026.
The vulnerability, with a CVSS score of 9.8, originates from a flaw in cPanel’s Session.pm module, which mismanages HTTP Authorization headers during login. This issue allows attackers to inject harmful data directly into session files, enabling unauthorized root access without valid credentials.
Understanding the cPanelSniper Exploit
The exploit tool, cPanelSniper, was publicly released by security researcher Mitsec on GitHub. This tool automates the exploitation process through a four-step attack chain, beginning with creating a pre-authenticated session, followed by injecting malicious payloads, and culminating in gaining full root access to the WHM.
Utilizing Python 3.8+, cPanelSniper doesn’t require external dependencies and supports various post-exploitation actions, such as command execution and administrative account creation. It integrates with tools like Subfinder and Shodan for enhanced targeting capabilities.
Impact and Response
By April 30, 2026, the Shadowserver Foundation had detected significant scanning and exploitation activities, with 44,000 IP addresses involved. The attacks have led to severe outcomes, including ransomware deployment and website defacements. Around 1.5 million instances remain potentially vulnerable, according to Shodan data.
In response, cPanel released emergency patches across all active branches on April 28, 2026. Administrators are urged to update systems immediately and implement firewall protections to block traffic on vulnerable ports.
Mitigation Strategies and Future Outlook
To mitigate risks, security teams should audit session directories for any suspicious files and rotate all administrative credentials. Blocking inbound traffic on critical cPanel ports and ensuring systems are patched can significantly reduce exposure.
This vulnerability has also been added to CISA’s Known Exploited Vulnerabilities catalog, highlighting its critical nature. Organizations are advised to stay updated with the latest security practices to protect against such threats.
For continuous updates on cybersecurity news, follow us on Google News, LinkedIn, and X. Reach out to feature your stories and stay informed.
