The rule detects the network-level signature of CVE-2026-41940 in cPanel/WHM: a pre-auth root‑level bypass caused by CRLF injection in the session writer. It watches for a GET / request to a cPanel/WHM admin port (2087/2086/2083/2082/2095/2096) that carries an Authorization: Basic header whose decoded value contains CRLF-delimited session fields, followed by an HTTP 3xx redirect whose Location header leaks a cpsess token path (e.g., /cpsessNNNN…). This exploit-shaped transaction is the Stage 2 indicator described by Unfold/watchTowr and is not produced by legitimate usage, since GET / on WHM normally returns 200 with the login screen and no Basic credentials. The rule requires TLS-visible HTTP data (e.g., TLS termination or sidecar visibility with send_all_headers) to observe http.request.headers.authorization and http.response.headers.location. It matches a single decoded HTTP transaction with: GET /, one of the cPanel admin ports, a 3xx response, an Authorization: Basic header, and a Location header /cpsess*. The rule supports threat investigation and remediation steps, including patching, credential hygiene, and access-control hardening for admin ports.