Description
Exploits CVE-2026-41940, a CRLF injection in cPanel/WHM's cpsrvd daemon that allows unauthenticated remote code execution as root.
The Basic-auth handler writes the password to the raw session file without stripping newlines. Omitting the ob-part of the session cookie bypasses the encoder, so injected fields land verbatim in the raw file. A subsequent request to /scripts2/listaccts triggers Cpanel::Session::Modify to promote those fields into the authoritative session cache, granting root WHM access.
RCE uses the WHM JSON API passwd endpoint to set a temporary root password, then delivers the payload over SSH. The password is rotated after exploitation. This module does not restore the original root password.
Affects all versions after 11.40. Fixed per branch: 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, 11.136.0.5 (cPanel/WHM) and 136.1.7 (WP2).
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/multi/http/cpanel_whm_auth_bypass_rcemsf undefined(cpanel_whm_auth_bypass_rce) > show actions ...actions...msf undefined(cpanel_whm_auth_bypass_rce) > set ACTION < action-name >msf undefined(cpanel_whm_auth_bypass_rce) > show options ...show and set options...msf undefined(cpanel_whm_auth_bypass_rce) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub