Check in seconds if your cPanel/WHM installation allows CRLF (Carriage Return Line Feed) injection at the /login/?user= endpoint. Non-destructive test, instant result, remediation plan included.
/login/?user=The cPanel & WHM authentication bypass vulnerability that this scanner detects. CVSS 9.8 critical · pre-authentication · unauthenticated remote attackers gain root access to WHM.
A pre-authentication CRLF injection in cpsrvd (cPanel's service daemon) lets an attacker inject forged authentication flags (user=root, hasroot=1, tfa_verified=1) into a session file. When cpsrvd re-parses that file, it trusts the injected flags and grants full root WHM access — bypassing both password and 2FA checks.
Affects all cPanel & WHM versions after 11.40 plus WP Squared < 136.1.7. If your server exposes ports 2082, 2083, 2086, 2087, 2095 or 2096 to the internet and is not yet patched, treat it as actively at risk. ~1.5 million cPanel instances were exposed at disclosure time. Use the scanner above to confirm.
Update cPanel/WHM via /scripts/upcp --force from SSH as root. If you cannot patch right now: block external access to ports 2083, 2087, 2095, 2096 via CSF/iptables until you can. After patching, audit /var/cpanel/sessions/raw/ for IoCs and rotate all credentials.
The nuclear.x86 Mirai botnet actively kills wget and curl to prevent cleanup. Run this from SSH:
wget google.com
If it returns Killed instead of downloading → the botnet is active on your server. Force-kill it:
# Force-kill the botnet and verify it's gone pkill -9 -f "nuclear.x86" ps auxf | grep -i nuclear # Verify wget works again wget google.com
If the download completes normally → either you're not infected, or the binary was already removed.
Block these via CSF (csf -d) or iptables to harden against this campaign. Note: blocking these is reactive, not a substitute for patching.
87.121.84.78
45.148.120.23
Update to one of these (or later) on your branch. Check your current version with /usr/local/cpanel/cpanel -V.
11.110.0.9711.118.0.6311.126.0.5411.132.0.2911.134.0.2011.136.0.5WP Squared 136.1.7For deeper technical analysis, exploit details and ongoing campaign tracking:
Everything you need to know about this injection and how to protect your server
Allows an attacker to inject carriage return and line feed characters (\r\n) into HTTP headers. Enables response manipulation, session hijacking, cache poisoning and reflected XSS.
The user parameter in the /login/ endpoint does not properly filter encoded %0D%0A characters, allowing an attacker to introduce arbitrary HTTP headers in the server response.
Update cPanel/WHM to the latest version immediately. Implement a WAF with control character filtering, configure strict security headers and monitor server logs regularly.
Answers to common questions about CRLF injection, detection and remediation
%0D%0A characters in HTTP parameters, mainly in the /login/?user= endpoint. This enables response header manipulation, reflected XSS attacks, web cache poisoning, and administrative session hijacking. Also known as HTTP Response Splitting.X-Vulnerable-Test:YES. If the server reflects it in its HTTP response, it is vulnerable to CRLF injection and must be patched immediately./usr/local/cpanel/cpanel -V from SSH and consult the official cPanel changelog to confirm if your build includes the CRLF injection fix. LTS tier builds without updates are most exposed./scripts/upcp --force from SSH as root. As temporary mitigation, you can add ModSecurity rules that block %0D%0A sequences in URIs and arguments. This tool automatically generates a complete remediation plan with copyable commands when it detects vulnerability.2087 (SSL) or 2086 (non-SSL), while cPanel uses 2083 (SSL) or 2082 (non-SSL). Enter the URL including the port, for example https://your-server.com:2087. The CRLF test applies to the underlying login module (cpsrvd) shared by cPanel and WHM./usr/local/apache/logs/access_log), like any normal HTTP request. This is expected in a legitimate audit.cpsrvd session handler — the exact same vulnerability class this scanner tests. If the scanner reports your server as vulnerable, you are almost certainly exposed to CVE-2026-41940 (CVSS 9.8). Patch immediately with /scripts/upcp --force or block ports 2083/2087/2095/2096 at the firewall.wget and curl to prevent removal. Run wget google.com from an SSH session: if it returns Killed instead of downloading, the botnet is active on your server. Other IoCs: check /var/cpanel/sessions/raw/ for files containing user=root, hasroot=1, tfa_verified=1, or successful_internal_auth_with_timestamp from before you patched./etc/shadow contents, may have created admin accounts, modified ~/.ssh/authorized_keys, dropped cron jobs, or installed cryptominers. Step 1: isolate the server (block public IPs at firewall). Step 2: kill nuclear.x86 processes (pkill -9 -f nuclear.x86). Step 3: rotate ALL credentials (root, cPanel users, MySQL, FTP, SSH keys, API tokens). Step 4: audit /etc/passwd, /etc/sudoers.d/, ~/.ssh/authorized_keys, cron jobs, WHM users. Safest path: rebuild from a clean backup taken before the compromise window (potentially as early as Feb 23, 2026).Audit, urgent patching and professional hardening by a sysadmin with 12+ years of experience in cPanel/WHM, server security and VoIP infrastructure. Free quote in less than 24 hours, no commitments.
No intermediaries, no forms. Personal response to your inquiry.
This tool is designed exclusively for system administrators to verify their own servers or those they have explicit authorization for. Unauthorized use against third-party systems may constitute a crime under laws such as the Computer Fraud and Abuse Act (CFAA) in the US, the Budapest Convention on cybercrime or local equivalents. The test performed is non-destructive: it only verifies the reflection of an innocuous test header and does not compromise the system. You are fully responsible for the use you give to this tool.