Threat Intel

cPanel Vulnerability Exploited ITW

Mass iternet exploitation events are never fun, this week we have CVE-2026-41940 being exploited! Luckily we have the awesome and cool honeypots at Defused to help us investigate threat actor activity! So let’s take a look! (there’s a good writeup here from Watchtowr.

Kill Chain

We have used ‘AI’ (Claude) to create a timeline based on packets from Defused honeypots:

What did Claude say?

I exported the logs from the Defused honeypot TI feed focused on a single IP then imported that include a chat with Claude:

Here’s the breakdown of what the data shows:

Attack summary — CVE-2026-41940 against a cPanel honeypot

The attacker at 80.87.206.131 ran a structured, two-wave exploitation chain over approximately 22 minutes. The CVE pattern maps to a known cPanel authentication bypass class: forge a session via the preauth endpoint, propagate it through a cache gadget, then leverage the resulting authenticated context to make privileged JSON-API calls.

Wave 1 (06:36–06:37) was a minimal two-step probe — session mint followed immediately by a single cache propagation attempt. This is consistent with tooling running an initial reachability check before committing to full exploitation.

Wave 2 (06:57–06:58) is the main effort. The attacker repeated the session mint, fired the cache gadget twice (likely confirming propagation), and within 9 seconds of the second gadget request had transitioned to authenticated API calls — specifically authorizesshkey (SSH key injection) and listaccts (account enumeration). The two events timestamped 06:58:28suggest either a scripted burst or the tooling executing the auth’d phase in parallel.

Key indicators for hunting:

  • POST /login/?login_only=1 as the session mint vector
  • GET /scripts2/listaccts as the cache gadget trigger
  • Rapid pivot to /json-api/ endpoints within seconds of gadget confirmation
  • 20-minute gap between waves is characteristic of automated tooling with a callback/retry loop

Worth checking whether 80.87.206.131 appears in any other decoy logs — the structured cadence strongly suggests an automated exploit kit rather than manual operation.

We can see here, the exploit here is very simple, POST then a GET followed by API access!

Not only do we now have data to write detections from, we can also look at creating a PoC for penetration testing and vulnerability assessment purposes! A double win! This really goes to show how valuable honeypots can be from a broad TI perspective as well as supporting defence and offence!

A double edged sword (or pot?), like so many things in life!

Suggested Actions to take

  • Check if you or your hosting providers run CPANEL
  • Check for compromise (or request intel from a partner)
  • If no compromise detected patch the server
    • if you can’t patch consider using an IP allow list/VPN or other method to shield access from anywhere on the internet (you might want to do this even if you have patched)
  • If compromised follow your incident repsonse process

Each scenario is different so I’ll not try and tell everyone exactly what they should do here, the key point of this blog is to highlight the vulnerability, the threat/risk so people can take the appropriate steps.

Also, you probably want to check out the honeypots at Defused! They are awesome!

[update] just found this in the packets: H2ckt3ch@g0dl1k3 (cm9vdDpIMmNrdDNjaEBnMGRsMWsz is the BASE64). I won’t publish all the packets right now (because that probably won’t help this early on) but this string was interesting…

Copyright (c) Xservus Limited