LoFP / authorized vulnerability scanners (nessus, tenable, qualys, etc.) running cve-2026-41940 plugins will reproduce the exploit shape. validate against scan windows and source ips of approved scanners before escalating.

Techniques

• T1190

Sample rules

Potential cPanel WHM CRLF Authentication Bypass (CVE-2026-41940)

• source: elastic
• technicques:
  • T1190

Description

Identifies the network signature of CVE-2026-41940, a pre-auth root-level authentication bypass in cPanel and WebHost Manager (WHM) caused by a CRLF injection in the session writer. The exploit-inherent shape on the wire is a GET / request to a cPanel/WHM admin port (typically TCP/2087, 2086, 2083, 2082, 2095, 2096) carrying an Authorization: Basic header whose base64-decoded value contains CRLF-injected session fields, which causes cpsrvd to respond with a 3xx redirect whose Location header leaks a /cpsessNNNNNNNNNN token granting the attacker a privileged session. This is the network-layer equivalent of the cPanel access_log artifact identified by Unfold and watchTowr as the first bulletproof detection for this CVE: a GET / recorded with auth_method=b (HTTP Basic). Legitimate access to GET / on a WHM admin port returns 200 with the login screen and never includes HTTP Basic credentials, so this combination is not produced by normal use.

Detection logic

(data_stream.dataset:network_traffic.http OR (event.category:network_traffic AND network.protocol:http)) AND
http.request.method:GET AND
url.path:"/" AND
destination.port:(2087 OR 2086 OR 2083 OR 2082 OR 2095 OR 2096) AND
http.response.status_code>=300 and http.response.status_code < 400 AND
http.request.headers.authorization:Basic* AND
http.response.headers.location:/cpsess*