Summary:

A critical authentication bypass vulnerability in cPanel and WebHost Manager, tracked as CVE-2026-41940, is currently under active mass exploitation. The flaw allows unauthenticated attackers to gain full administrative access through a CRLF injection issue affecting the cpsrvd daemon. Threat actors, including infrastructure associated with QiAnXin XLab-attributed actor Mr_Rot13, have been observed deploying malware such as the Filemanager RAT to maintain persistence, harvest credentials, and deploy web shells.

Organizations using cPanel and WHM should immediately apply the April 28, 2026, security patch via WHM or execute /usr/local/cpanel/scripts/upcp --force to remediate exposed systems.

Separately, CVE-2026-41940, also referred to as “Pack2TheRoot,” affects default installations of PackageKit across major Linux distributions, allowing local users to gain full root access through a race condition flaw reportedly present for more than 12 years. Linux server and cloud infrastructure operators across the UAE, GCC, and broader MENA region are strongly advised to prioritize immediate patching and threat-hunting activities.

Technical Description:

CVE-2026-41940 is a critical CRLF injection vulnerability affecting cPanel and WebHost Manager. The flaw exists within the cpsrvd daemon, which improperly processes and stores session data before authentication is completed. By injecting crafted CRLF characters into the session loading workflow, an unauthenticated attacker can manipulate session state and completely bypass authentication protections, gaining full WHM administrative access through a single malicious HTTP request without requiring valid credentials.

The vulnerability was initially described by the vendor only as an “issue with session loading and saving,” which reportedly caused many administrators to underestimate its severity and delay remediation efforts. Reports indicate that targeted zero-day exploitation activity began as early as February 2026, with mass exploitation accelerating after watchTowr publicly released technical analysis and proof-of-concept exploit code.

Separately, the “Pack2TheRoot” PackageKit vulnerability impacts major Linux distributions including Ubuntu, Debian, Fedora, and Red Hat-based environments. The flaw results from improper transaction flag validation, allowing local unprivileged users to manipulate PackageKit operations and install arbitrary packages with root privileges without authentication.

Because PackageKit may be installed by default or introduced indirectly through dependencies such as Cockpit, many enterprise Linux environments may be exposed even when administrators are unaware the service is active. The exploit is highly reliable, executes within seconds, and frequently leaves forensic indicators within journalctl logs due to a PackageKit daemon assertion crash followed by an automatic systemd restart.

Exploitation Demonstration:

• Authentication Bypass / CRLF Injection: Attackers send a crafted HTTP request to cPanel and WebHost Manager, allowing cpsrvd to load malicious session data before authentication and grant full administrative access without credentials.
• Go-Based Payload Delivery: After gaining WHM access, attackers silently deploy a Go-based malware installer that retrieves the Mr_Rot13 toolkit in the background.
• Persistence Establishment: Malware modifies the root password, implants rogue SSH keys such as cpanel-updater, and deploys web shells to maintain long-term access.
• Credential Theft: Injected JavaScript within the WHM login page harvests usernames, passwords, session tokens, SSH keys, and database credentials before exfiltrating them to attacker-controlled infrastructure.
• Filemanager RAT Deployment: Attackers install the cross-platform Filemanager RAT, enabling remote command execution, file management, and persistent control across Linux, Windows, and macOS systems.

Ease of Exploitation:

Pack2TheRoot (CVE-2026-41940) is a high-severity state-machine logic vulnerability affecting the PackageKit daemon and enabling rapid root privilege escalation by exploiting a discrepancy between authorization checks and execution dispatch.

Unlike traditional memory corruption or buffer overflow vulnerabilities, this flaw relies on a Time-of-Check Time-of-Use (TOCTOU) race condition within the D-Bus interface, allowing attackers to manipulate transaction flags and install malicious local packages without triggering conventional security scanners.

This class of userspace daemon abuse is particularly dangerous because it blends into normal system logs and reportedly remained undetected for more than 12 years, affecting PackageKit versions 1.0.2 through 1.3.4. As a result, a broad range of Linux distributions, including Ubuntu (18.04 through 26.04 Beta), Debian Trixie, Fedora 43, and Rocky Linux 10.1, remain vulnerable in default configurations.

Organizations should immediately apply the April 28, 2026, cPanel security update via WHM or execute:

/usr/local/cpanel/scripts/upcp --force

Additionally, administrators should consider masking or disabling unnecessary PackageKit services where operationally feasible to reduce exploitation exposure.

Conclusion:

A critical authentication bypass vulnerability affecting cPanel and Webhost Manager represents one of the most actively exploited security flaws observed during May 2026, with confirmed zero-day attacks dating back to February 2026, publicly available proof-of-concept exploit code, and malicious activity originating from more than 2,000 attacker IP addresses.

Successful exploitation enables complete server compromise, including deployment of the Filemanager RAT, SSH key implantation, credential theft, persistent web shells, and broader malware deployment activity. Organizations should immediately apply the April 28, 2026, security update and treat all unpatched systems as potentially compromised.

Separately, the PackageKit “Pack2TheRoot” vulnerability enables local attackers to obtain full root privileges across major Linux distributions within seconds. Due to its presence across more than a decade of Linux releases, organizations across the UAE, GCC, and broader MENA region should prioritize urgent patching, forensic validation, and proactive threat-hunting operations.

Impact:

Successful exploitation of CVE-2026-41940 grants attackers full unauthenticated administrative access to vulnerable cPanel and WebHost Manager systems. Observed attacks include root password modification, rogue SSH key implantation, persistent web shell deployment, credential theft, Filemanager RAT installation, and exfiltration of sensitive data, including government and military-related information.

Threat actors have leveraged compromised systems for ransomware deployment, botnet operations, and cryptocurrency mining campaigns. The vulnerability presents significant operational and strategic risk because hosting infrastructure frequently acts as a centralized management layer for multiple customer environments and dependent services.

The PackageKit “Pack2TheRoot” vulnerability enables local attackers to obtain full root privileges on vulnerable Linux systems, facilitating backdoor deployment, credential theft, lateral movement, persistence establishment, and evasion of security monitoring controls.

Organizations within the UAE and GCC handling regulated or sensitive data may also face mandatory incident reporting obligations under the UAE PDPL and NCA ECC cybersecurity frameworks following a successful compromise.

IOC and Context Details:

Recommended Actions:

• Patch immediately by running /usr/local/cpanel/scripts/upcp --force or updating through WHM administrative interfaces. Treat all unpatched systems as potentially compromised.
• Check persistence mechanisms for rogue cPanel-updater SSH keys, unknown Python web shells, unexpected root password changes, and unauthorized scheduled tasks.
• Inspect cPanel and WHM login pages for injected JavaScript associated with credential theft operations.
• Hunt for Filemanager RAT binaries and related malware artifacts across Linux, Windows, and macOS systems connected to affected infrastructure.
• Block communication with known attacker infrastructure, including wrned[.]com, wpsock[.]com, and unnecessary Telegram API traffic, where operationally feasible.
• Rotate all potentially exposed credentials, including WHM accounts, root passwords, SSH keys, database credentials, and API tokens.
• Review cPanel access logs between February and May 2026 for suspicious authentication activity, unauthorized requests, or anomalous administrative behaviour.
• Conduct comprehensive incident response investigations covering cron jobs, modified files, new user accounts, outbound connections, and privilege escalation activity. Escalate to forensic analysis where compromise is suspected.

Reference:

https://thehackernews.com/2026/05/cpanel-cve-2026-41940-under-active.html