cPanel Emergency Patch: Critical Authentication Flaw Exposes Hosting Servers to Full Takeover + Video

Listen to this Post

Featured Image

Introduction:

A critical authentication bypass vulnerability in cPanel & WHM, affecting all supported versions and disclosed on April 28, 2026, could allow unauthenticated attackers to gain administrative control over web hosting servers. With over 70 million domains relying on cPanel, this flaw dramatically expands the attack surface, potentially leading to mass website defacement, data exfiltration, and server compromise across the hosting supply chain.

Learning Objectives:

  • Apply emergency patches manually via command line and verify secure build versions.
  • Implement layered mitigations including firewall rules, IP allowlisting, and multi-factor authentication.
  • Detect potential exploitation through log analysis and deploy post-patch security audits.

You Should Know:

1. Emergency Patch Deployment via Command Line

The cPanel security team has pushed patches for versions 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5. To manually enforce the update:

 Connect as root via SSH
ssh root@your-server-ip

Force cPanel update
/usr/local/cpanel/scripts/upcp --force

Alternatively, use the shorter path:

/scripts/upcp --force

Verify successful patching by checking the version:

cat /usr/local/cpanel/version

NOTE: After patching, reboot the server to ensure all services reload with the secure libraries:

reboot

2. Immediate Firewall Mitigation for Unpatched Systems

For environments unable to patch immediately, restrict access to cPanel/WHM ports:

 Using iptables (Linux)
iptables -A INPUT -p tcp --dport 2082 -j DROP  cPanel
iptables -A INPUT -p tcp --dport 2083 -j DROP  cPanel SSL
iptables -A INPUT -p tcp --dport 2086 -j DROP  WHM
iptables -A INPUT -p tcp --dport 2087 -j DROP  WHM SSL
iptables -A INPUT -p tcp --dport 2095 -j DROP  Webmail
iptables -A INPUT -p tcp --dport 2096 -j DROP  Webmail SSL

Save rules
iptables-save > /etc/iptables/rules.v4

For CSF (ConfigServer Security & Firewall) users, edit /etc/csf/csf.conf:

 Block ports temporarily
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"
 Then restart CSF
csf -r

3. Enforcing Multi-Factor Authentication (2FA)

Enable 2FA globally via WHM interface or command line:

Via WHM:

  • Navigate to Home → Security Center → Two-Factor Authentication
  • Toggle the Two-Factor Authentication Security Policy to On

Via Command Line (for advanced automation):

 Enable 2FA for root user
whmapi1 twofactor_auth enable_user user=root

List 2FA status for all users
whmapi1 twofactor_auth list_users

TIP: Integrate Google Authenticator for TOTP-based verification. After enabling, users must scan a QR code with their authenticator app to generate six-digit codes for each login.

4. IP Allowlisting for WHM Access

Restrict WHM access to trusted IPs only:

 Using WHM API
whmapi1 add_ip address=203.0.113.5 cidr=32

Using direct .htaccess (Apache)
echo "Require ip 203.0.113.5" >> /usr/local/cpanel/base/webmail/.htaccess

Better approach: Block at cloud edge (Cloudflare):

 Cloudflare Firewall Rule
(not cf.client.bot) and (http.request.uri.path contains "/cpanel" or http.request.uri.path contains "/whm")
→ Block

This significantly reduces attack surface before requests reach the origin server.

5. Log Monitoring for Exploitation Attempts

Monitor authentication logs for suspicious activity:

 Check WHM login failures
grep "FAILED LOGIN" /usr/local/cpanel/logs/login_log

Analyze cPHulk brute force protection logs
tail -f /var/log/cphulkd.log

Review secure log for root access attempts
grep "root" /var/log/secure | grep "FAILED"

Check for unusual IP activity (last 24 hours)
last -a | grep "still logged in" | awk '{print $3}' | sort | uniq -c | sort -nr

For Windows Server (if running cPanel on Windows via virtualization), use PowerShell:

 Check security event log for failed logins (Event ID 4625)
Get-EventLog -LogName Security -InstanceId 4625 -Newest 50 | Format-List

Monitor cPanel logs via PowerShell Remoting
Get-Content "C:\cPanel\logs\access_log" -Wait

6. Handling End-of-Life (EOL) Systems

If you’re running an unsupported legacy version, patch will NOT be available. Immediate migration is required:

 Check current cPanel version
cat /usr/local/cpanel/version

Determine update tier
cat /etc/cpupdate.conf

Migrate to supported version (e.g., v110 LTS)
/scripts/upcp --force --tier=release

Critical: EOL systems (e.g., CentOS 6/7, CloudLinux 6/7) block cPanel updates since version 112. For such cases:
– Plan migration to a modern OS (AlmaLinux 8/9, Rockylinux 8/9) with fresh cPanel install
– Use `/scripts/pkgacct` to back up accounts
– Restore on new server using `/scripts/restorepkg`

7. Post-Patch Security Audit with CSI

Run cPanel Security Investigator (CSI) to scan for compromise indicators:

 Download and run CSI
curl -LO https://raw.githubusercontent.com/CpanelInc/csi/main/csi
perl csi --report

Check for suspicious processes
ps auxf | grep -v "[" | awk '{print $11}' | sort | uniq -c | sort -nr | head -20

Scan for recent file modifications in web roots (last 7 days)
find /home//public_html -type f -mtime -7 -ls

For automated scanning, use the community compromise detection script:

git clone https://github.com/iammaksudul/cpanel-compromise-detection.git
cd cpanel-compromise-detection
./detect.sh

This script checks Apache logs, .htaccess files, PHP files, and SSH login attempts for anomalies.

What Undercode Say:

  • Patch immediacy is non-negotiable. The authentication bypass affects all cPanel/WHM versions, making it an critical supply chain risk for web hosting providers and sysadmins alike.
  • Layered defense saves unpatched systems. Firewall restrictions, IP allowlisting, and enforced 2FA reduce exploitability even before patches are applied—essential for legacy servers.

Prediction:

This vulnerability will likely be weaponized within 48-72 hours, with automated scanners targeting exposed WHM ports (2087). Expect widespread hosting compromises by mid-May 2026, particularly among smaller providers slow to patch. The incident underscores a broader trend: control panel software increasingly becomes a prime target for mass exploitation, forcing the industry toward zero-trust architectures and mandatory 2FA enforcement across all administrative interfaces.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Cybersecuritynews Share – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky