A critical vulnerability affecting all but the latest versions of cPanel and the WebHost Manager (WHM) dashboard could be exploited to obtain access to the control panel without authentication.
The security issue has been addressed in an emergency update that requires running a command manually to retrieve a patched version of the software.
Owned by WebPros International, WHM and cPanel are Linux-based web hosting control panels for server and website management. While WHM provides server-level control, cPanel provides administrator access to the website backend, webmail, and databases.
Both products are among the most widely deployed hosting control panels, popular with many hosting providers for their standardized interfaces, ease of use for non-technical users, and deep integration with common hosting stacks.
No technical details have been publicly disclosed, but the severity of the issue appears significant, as Namecheap temporarily blocked access to ports 2083 and 2087 used for WHM and cPanel to protect customers until patches were available.
“We regret to inform you that a critical security vulnerability has been identified in cPanel software affecting all currently supported versions,” Namecheap said.
The hosting provider stated that the vulnerability, which has not received an official identifier, “relates to an authentication login exploit that could allow unauthorized access to the control panel.”
A few hours after Namecheap’s notification, cPanel published a security bulletin informing that the security issue had been addressed in the following product versions:
- 11.110.0.97
- 11.118.0.63
- 11.126.0.54
- 11.132.0.29
- 11.136.0.5
- 11.134.0.20
To install a safe version, the vendor recommends that administrators execute the command /scripts/upcp –force, which runs the cPanel update process and forces it to execute even if the system thinks it already runs on the latest version.
Servers running an unsupported version of cPanel are ineligible for security updates. In this case, administrators are recommended to upgrade to a supported version as soon as possible.
The discovery of the vulnerability has not been publicly attributed, and there’s currently no tracking ID for the issue.
An attacker gaining access to cPanel can control everything present in the hosting account, from websites and data to email. They can use the access to plant backdoors or web shells, redirect users to malicious locations, steal sensitive files, send spam or phishing emails, or collect passwords from configuration files.
WHM provides access to the entire server and all the websites it hosts. This means that a threat actor could create and delete cPanel accounts, establish persistent access on the machine, and use it for various malicious activities (e.g., proxy traffic, spam, malware delivery, botnet).
Website owners using the affected management interfaces should ensure that they have updated to a patched version.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
