Potential cPanel WHM CRLF Authentication Bypass (CVE-2026-41940)

  1[metadata]
  2creation_date = "2026/05/07"
  3integration = ["network_traffic", "zeek"]
  4maturity = "production"
  5updated_date = "2026/05/28"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the network signature of CVE-2026-41940, a pre-auth root-level authentication bypass in cPanel and WebHost
 11Manager (WHM) caused by a CRLF injection in the session writer. The exploit-inherent shape on the wire is a `GET /`
 12request to a cPanel/WHM admin port (typically TCP/2087, 2086, 2083, 2082, 2095, 2096) carrying an
 13`Authorization: Basic` header whose base64-decoded value contains CRLF-injected session fields, which causes cpsrvd
 14to respond with a 3xx redirect whose `Location` header leaks a `/cpsessNNNNNNNNNN` token granting the attacker a
 15privileged session. This is the network-layer equivalent of the cPanel `access_log` artifact identified by Unfold and
 16watchTowr as the first bulletproof detection for this CVE: a `GET /` recorded with `auth_method=b` (HTTP Basic).
 17Legitimate access to `GET /` on a WHM admin port returns 200 with the login screen and never includes HTTP Basic
 18credentials, so this combination is not produced by normal use.
 19"""
 20false_positives = [
 21    """
 22    Authorized vulnerability scanners (Nessus, Tenable, Qualys, etc.) running CVE-2026-41940 plugins will reproduce the
 23    exploit shape. Validate against scan windows and source IPs of approved scanners before escalating.
 24    """,
 25]
 26from = "now-9m"
 27index = ["packetbeat-*", "logs-network_traffic.http*", "logs-zeek.http*"]
 28language = "lucene"
 29license = "Elastic License v2"
 30name = "Potential cPanel WHM CRLF Authentication Bypass (CVE-2026-41940)"
 31note = """## Triage and analysis
 32
 33> **Disclaimer**:
 34> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 35
 36### Investigating Potential cPanel WHM CRLF Authentication Bypass (CVE-2026-41940)
 37
 38CVE-2026-41940 is a critical (CVSS 9.8) authentication bypass in cPanel & WHM that gives an unauthenticated attacker
 39a root-privileged session on the host. The exploit chains a CRLF injection in the session writer with an
 40encryption-skip triggered by a malformed cookie, then uses how cPanel caches sessions to promote the injected data
 41into a privileged login. Around 1.5M cPanel instances were exposed at disclosure and exploitation has been observed in
 42the wild since 2026-02-23, two months before the patch.
 43
 44This rule fires on the Stage 2 request/response shape: a `GET /` to a cPanel admin port that carries an
 45`Authorization: Basic` header and receives a 3xx redirect whose `Location` points at a freshly minted
 46`/cpsessNNNNNNNNNN` path. Per the watchTowr and Unfold writeups, this is the only request shape that lets the
 47exploit retrieve the security token needed for Stage 4 (privileged use of the session).
 48
 49### Detection logic
 50
 51The rule requires all of the following on a single decoded HTTP transaction matched from
 52`data_stream.dataset:network_traffic.http` (or `event.category:network_traffic` with `network.protocol:http`):
 53
 54- `http.request.method:GET` and `url.path:"/"` — request targets the root path exactly. The CRLF vulnerability is only
 55  reachable on `GET /`; the same payload on other paths does not return the redirect that leaks the token, so the
 56  match is intentionally exact (a request like `GET /index.html` will not fire).
 57- `destination.port:(2087 OR 2086 OR 2083 OR 2082 OR 2095 OR 2096)` — cPanel/WHM admin and webmail ports. These are
 58  not in the default Network Packet Capture HTTP port list and must be added explicitly (see Setup).
 59- `http.response.status_code:[300 TO 399]` — a redirect response. Normal `GET /` to WHM returns 200 with the login
 60  screen; only the exploit produces a 3xx here.
 61- `http.request.headers.authorization:Basic*` — HTTP Basic credentials sent on `GET /`. This is the network-layer
 62  equivalent of the `auth_method=b` flag the Unfold and watchTowr writeups identify as the first bulletproof artifact
 63  in cPanel's `access_log`. `GET /` is an unauthenticated endpoint in normal cPanel operation and never legitimately
 64  carries Basic auth.
 65- `http.response.headers.location:/cpsess*` — the response redirects to a `/cpsess`-prefixed path, leaking the CSRF
 66  token the attacker needs for Stage 4. This is what makes the exploit succeed and is not produced by any benign flow.
 67
 68### Possible investigation steps
 69
 70- Capture the alert evidence. Record `source.ip` (attacker), `destination.ip` (cPanel host), `destination.port`,
 71  `user_agent.original`, `http.response.status_code`, the exact `http.response.headers.location` value (which contains
 72  the leaked `cpsess` token), and the captured `http.request.headers.authorization` value.
 73- Decode the Authorization header to confirm the CRLF payload. Strip the leading `Basic ` from
 74  `http.request.headers.authorization` and base64-decode the remainder. A legitimate Basic credential decodes to
 75  `username:password`; the exploit's payload decodes to a multi-line block delimited by `\\r\\n` containing fields like
 76  `successful_internal_auth_with_timestamp=`, `tfa_verified=1`, and `hasroot=1`. CRLF bytes in the decoded value
 77  distinguish exploitation from a misconfigured Basic-auth client.
 78- Confirm the destination host runs cPanel/WHM. Identify the installed version and whether the 2026-04-28 emergency
 79  patch is applied.
 80- Pivot on the source IP across the host's `/usr/local/cpanel/logs/access_log`. The exploit-inherent log artifact is a
 81  request line of the form `"GET / HTTP/1.1" 3xx 0 "-" "<UA>" "b" "-" <port>` — `auth_method=b` on `GET /` should never
 82  occur in normal operation and corresponds 1:1 to the `http.request.headers.authorization:Basic*` clause in this rule.
 83- Look for the Stage 4 follow-on from the same source IP: a request to the leaked `cpsess` path
 84  (`/cpsessNNNNNNNNNN/...`) with `auth_method=s` (session) and HTTP 200, without a preceding successful login
 85  (form POST `/login`, `/openid_connect/`, or reseller `?session=`). This is the post-exploitation artifact.
 86- Identify whether privileged WHM API actions were invoked under the leaked `cpsess` token (account creation, package
 87  install, file manager writes, terminal API).
 88- Review egress from the host for outbound connections initiated after the alert that could indicate web shell or
 89  implant install.
 90
 91### False positive analysis
 92
 93- Legitimate WHM administration never produces `GET /` with HTTP Basic authentication and a 3xx redirect leaking a
 94  fresh `cpsess` token. This combination is exploit-inherent.
 95- Authorized vulnerability scans running CVE-2026-41940 plugins will reproduce the request shape.
 96
 97### Response and remediation
 98
 99- Apply the cPanel emergency patch released 2026-04-28 (or the WP Squared equivalent). Verify by checking the
100  installed cPanel version against the advisory.
101- If the alert is paired with an `auth_method=s` `cpsess` request (post-exploitation), assume host compromise:
102  rotate root credentials, audit `/var/cpanel/sessions/`, look for newly created accounts, scheduled tasks, SSH keys,
103  and `authorized_keys` modifications.
104- Restrict access to cPanel admin ports (2087/2086/2083/2082/2095/2096) to known administrator source IPs at the
105  perimeter or via host firewall.
106- Block the source IP at the WAF or perimeter if exploitation is confirmed.
107"""
108references = [
109    "https://www.unfold.ai/blog/cpanel-exploit-cve-2026-41940",
110    "https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/",
111    "https://www.picussecurity.com/resource/blog/cve-2026-41940-explained-cpanel-whm-authentication-bypass-hit-1-5m-servers",
112    "https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026",
113    "https://nvd.nist.gov/vuln/detail/CVE-2026-41940",
114    "https://docs.cpanel.net/knowledge-base/cpanel-product/the-cpanel-log-files",
115    "https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html#_send_all_headers",
116]
117risk_score = 73
118rule_id = "2449be9d-2fdf-4126-a85b-f05e4058df9f"
119setup = """## Setup
120
121This rule supports two data sources:
122
1231. **Network Packet Capture / Packetbeat (preferred):** Requires the Network Packet Capture integration (or legacy
124   Packetbeat) with cPanel admin ports added to the HTTP protocol configuration and `send_all_headers` enabled, so that
125   `http.request.headers.authorization` and `http.response.headers.location` are populated. cPanel admin ports
126   (2087/2086/2083/2082/2095/2096) are not in the default HTTP port list and must be added explicitly.
1272. **Zeek HTTP logs (`zeek.http`):** Zeek records only the names of HTTP request and response headers in
128   `zeek.http.client_header_names` and `zeek.http.server_header_names`, not their values. The Zeek branch of this rule
129   therefore matches on the presence of `AUTHORIZATION` and `LOCATION` headers on a `GET /` to a cPanel admin port,
130   which is a less precise but still exploit-shaped signal. Confirm exploitation by retrieving the raw header values
131   from the upstream Zeek sensor or correlated packet capture.
132
133   The Zeek branch has non-default sensor prerequisites that must be met or it will never match:
134   - **Header-name logging is not enabled by default.** `client_header_names` and `server_header_names` are produced by
135     the policy script `policy/protocols/http/header-names.zeek`, which is not loaded by `base/protocols/http` or the
136     default `site/local.zeek`. Add `@load policy/protocols/http/header-names.zeek` to the Zeek configuration. Without
137     it, neither field is emitted and the Zeek branch cannot fire.
138   - **Server header-name logging defaults to off.** Even with the script loaded, `HTTP::log_server_header_names`
139     defaults to `F`, so the `server_header_names:LOCATION` condition is unsatisfiable. Set
140     `redef HTTP::log_server_header_names = T;` (client header-name logging is on by default).
141   - **Non-standard ports are handled by DPD, not a port list.** Zeek ships port-independent HTTP DPD signatures
142     (`base/protocols/http/dpd.sig`) that detect HTTP by payload regardless of port, so plaintext `GET /` on cPanel
143     admin ports (2086/2082/2095) is parsed into `zeek.http` without registering those ports. The TLS ports
144     (2087/2083/2096) are encrypted and yield `zeek.ssl`, not `zeek.http`, unless the sensor sits upstream of TLS
145     termination (see decryption note below).
146
147cPanel/WHM exposes paired TLS and plaintext ports: 2087 (WHM HTTPS), 2083 (cPanel HTTPS), and 2096 (Webmail HTTPS)
148require decryption visibility (TLS interception, sidecar on the host, or a sensor upstream of TLS termination) for
149either data source to observe HTTP headers. The plaintext counterparts — 2086 (WHM HTTP), 2082 (cPanel HTTP), and 2095
150(Webmail HTTP) — carry headers in the clear and are observable without decryption. An attacker can exploit the
151vulnerability over either variant, so both sets of ports are included in this rule.
152"""
153severity = "high"
154tags = [
155    "Domain: Network",
156    "Domain: Application",
157    "Domain: Web",
158    "Use Case: Threat Detection",
159    "Use Case: Vulnerability",
160    "Tactic: Initial Access",
161    "Data Source: Network Packet Capture",
162    "Data Source: Network Traffic",
163    "Data Source: Zeek",
164    "Resources: Investigation Guide",
165]
166timestamp_override = "event.ingested"
167type = "query"
168
169query = '''
170(
171  (
172    (data_stream.dataset:network_traffic.http OR (event.category:network_traffic AND network.protocol:http)) AND
173    http.response.status_code:[300 TO 399] AND
174    http.request.headers.authorization:Basic* AND
175    http.response.headers.location:\/cpsess*
176  )
177  OR
178  (
179    data_stream.dataset:zeek.http AND
180    zeek.http.client_header_names:AUTHORIZATION AND
181    zeek.http.server_header_names:LOCATION
182  )
183) AND
184http.request.method:GET AND
185url.path:"/" AND
186destination.port:(2087 OR 2086 OR 2083 OR 2082 OR 2095 OR 2096)
187'''
188
189
190[[rule.threat]]
191framework = "MITRE ATT&CK"
192
193[[rule.threat.technique]]
194id = "T1190"
195name = "Exploit Public-Facing Application"
196reference = "https://attack.mitre.org/techniques/T1190/"
197
198[rule.threat.tactic]
199id = "TA0001"
200name = "Initial Access"
201reference = "https://attack.mitre.org/tactics/TA0001/"