Listen to this Post

Introduction:
A critical authentication bypass vulnerability in cPanel & WHM, affecting all supported versions and disclosed on April 28, 2026, could allow unauthenticated attackers to gain administrative control over web hosting servers. With over 70 million domains relying on cPanel, this flaw dramatically expands the attack surface, potentially leading to mass website defacement, data exfiltration, and server compromise across the hosting supply chain.
Learning Objectives:
- Apply emergency patches manually via command line and verify secure build versions.
- Implement layered mitigations including firewall rules, IP allowlisting, and multi-factor authentication.
- Detect potential exploitation through log analysis and deploy post-patch security audits.
You Should Know:
1. Emergency Patch Deployment via Command Line
The cPanel security team has pushed patches for versions 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5. To manually enforce the update:
Connect as root via SSH ssh root@your-server-ip Force cPanel update /usr/local/cpanel/scripts/upcp --force
Alternatively, use the shorter path:
/scripts/upcp --force
Verify successful patching by checking the version:
cat /usr/local/cpanel/version
NOTE: After patching, reboot the server to ensure all services reload with the secure libraries:
reboot
2. Immediate Firewall Mitigation for Unpatched Systems
For environments unable to patch immediately, restrict access to cPanel/WHM ports:
Using iptables (Linux) iptables -A INPUT -p tcp --dport 2082 -j DROP cPanel iptables -A INPUT -p tcp --dport 2083 -j DROP cPanel SSL iptables -A INPUT -p tcp --dport 2086 -j DROP WHM iptables -A INPUT -p tcp --dport 2087 -j DROP WHM SSL iptables -A INPUT -p tcp --dport 2095 -j DROP Webmail iptables -A INPUT -p tcp --dport 2096 -j DROP Webmail SSL Save rules iptables-save > /etc/iptables/rules.v4
For CSF (ConfigServer Security & Firewall) users, edit /etc/csf/csf.conf:
Block ports temporarily TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995" TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995" Then restart CSF csf -r
3. Enforcing Multi-Factor Authentication (2FA)
Enable 2FA globally via WHM interface or command line:
Via WHM:
- Navigate to Home → Security Center → Two-Factor Authentication
- Toggle the Two-Factor Authentication Security Policy to On
Via Command Line (for advanced automation):
Enable 2FA for root user whmapi1 twofactor_auth enable_user user=root List 2FA status for all users whmapi1 twofactor_auth list_users
TIP: Integrate Google Authenticator for TOTP-based verification. After enabling, users must scan a QR code with their authenticator app to generate six-digit codes for each login.
4. IP Allowlisting for WHM Access
Restrict WHM access to trusted IPs only:
Using WHM API whmapi1 add_ip address=203.0.113.5 cidr=32 Using direct .htaccess (Apache) echo "Require ip 203.0.113.5" >> /usr/local/cpanel/base/webmail/.htaccess
Better approach: Block at cloud edge (Cloudflare):
Cloudflare Firewall Rule (not cf.client.bot) and (http.request.uri.path contains "/cpanel" or http.request.uri.path contains "/whm") → Block
This significantly reduces attack surface before requests reach the origin server.
5. Log Monitoring for Exploitation Attempts
Monitor authentication logs for suspicious activity:
Check WHM login failures
grep "FAILED LOGIN" /usr/local/cpanel/logs/login_log
Analyze cPHulk brute force protection logs
tail -f /var/log/cphulkd.log
Review secure log for root access attempts
grep "root" /var/log/secure | grep "FAILED"
Check for unusual IP activity (last 24 hours)
last -a | grep "still logged in" | awk '{print $3}' | sort | uniq -c | sort -nr
For Windows Server (if running cPanel on Windows via virtualization), use PowerShell:
Check security event log for failed logins (Event ID 4625) Get-EventLog -LogName Security -InstanceId 4625 -Newest 50 | Format-List Monitor cPanel logs via PowerShell Remoting Get-Content "C:\cPanel\logs\access_log" -Wait
6. Handling End-of-Life (EOL) Systems
If you’re running an unsupported legacy version, patch will NOT be available. Immediate migration is required:
Check current cPanel version cat /usr/local/cpanel/version Determine update tier cat /etc/cpupdate.conf Migrate to supported version (e.g., v110 LTS) /scripts/upcp --force --tier=release
Critical: EOL systems (e.g., CentOS 6/7, CloudLinux 6/7) block cPanel updates since version 112. For such cases:
– Plan migration to a modern OS (AlmaLinux 8/9, Rockylinux 8/9) with fresh cPanel install
– Use `/scripts/pkgacct` to back up accounts
– Restore on new server using `/scripts/restorepkg`
7. Post-Patch Security Audit with CSI
Run cPanel Security Investigator (CSI) to scan for compromise indicators:
Download and run CSI
curl -LO https://raw.githubusercontent.com/CpanelInc/csi/main/csi
perl csi --report
Check for suspicious processes
ps auxf | grep -v "[" | awk '{print $11}' | sort | uniq -c | sort -nr | head -20
Scan for recent file modifications in web roots (last 7 days)
find /home//public_html -type f -mtime -7 -ls
For automated scanning, use the community compromise detection script:
git clone https://github.com/iammaksudul/cpanel-compromise-detection.git cd cpanel-compromise-detection ./detect.sh
This script checks Apache logs, .htaccess files, PHP files, and SSH login attempts for anomalies.
What Undercode Say:
- Patch immediacy is non-negotiable. The authentication bypass affects all cPanel/WHM versions, making it an critical supply chain risk for web hosting providers and sysadmins alike.
- Layered defense saves unpatched systems. Firewall restrictions, IP allowlisting, and enforced 2FA reduce exploitability even before patches are applied—essential for legacy servers.
Prediction:
This vulnerability will likely be weaponized within 48-72 hours, with automated scanners targeting exposed WHM ports (2087). Expect widespread hosting compromises by mid-May 2026, particularly among smaller providers slow to patch. The incident underscores a broader trend: control panel software increasingly becomes a prime target for mass exploitation, forcing the industry toward zero-trust architectures and mandatory 2FA enforcement across all administrative interfaces.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Cybersecuritynews Share – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


