cPanel & WHM Under Fire: Critical File Read, Perl Code Execution, and Privilege Escalation Flaws Patched – Act Now! + Video

By /

Listen to this Post

Featured Image

Introduction:

Three newly patched vulnerabilities in cPanel & WHM (WebHost Manager) expose millions of servers to file read attacks, arbitrary Perl code execution, privilege escalation, and denial-of-service conditions. These flaws follow a recent zero-day exploitation that already deployed Mirai botnet variants and Sorry ransomware, making immediate patching critical for hosting providers and system administrators.

Learning Objectives:

  • Identify the three vulnerability types (file read, Perl code execution, privilege escalation/DoS) and their exploitation vectors.
  • Apply patching commands and verify integrity on Linux-based cPanel/WHM servers.
  • Detect indicators of compromise (IoCs) related to Mirai variants and Sorry ransomware using log analysis and system checks.

You Should Know:

  1. Understanding the Vulnerabilities: File Read, Perl Code Execution, and Privilege Escalation

The patched issues in cPanel & WHM (versions prior to 118.0.47, 122.0.17, and 126.0.12) include:
– Unauthenticated file read – an attacker can read arbitrary system files (e.g., /etc/passwd, Apache configs, database credentials) via crafted API requests.
– Perl code injection – because cPanel uses Perl extensively, specially crafted input can lead to remote code execution under the `cpanel` user context.
– Privilege escalation to root – combined with the Perl execution, an attacker can break out of restricted jails and gain full system control.
– Denial of Service – malformed packets or repeated requests can crash WHM service processes.

Step‑by‑step guide to check your current cPanel version (Linux):

1. Log in as root via SSH.

2. Run:

/usr/local/cpanel/cpanel -V

3. Alternatively, check `cat /usr/local/cpanel/version`.

  1. Compare with patched versions: 118.0.47+, 122.0.17+, or 126.0.12+. If older, you are vulnerable.

To manually verify file read vulnerability (after patching, for testing):
Do not attempt on production; use isolated test environment.
A known PoC involves sending a GET request to /cpanel/login/?login=1&user=..%2F..%2F..%2Fetc%2Fpasswd. If response returns file content, the flaw exists. Patching blocks path traversal.

  1. Applying the Patch: cPanel Update Commands and Rollback Procedures

cPanel provides an automatic updater, but administrators should force an immediate update. The following commands work on CentOS, RHEL, CloudLinux, and AlmaLinux.

Step‑by‑step patching guide:

1. SSH as root.

2. Stop non‑critical services to avoid conflicts:

systemctl stop httpd mysql

3. Run the update script:

/scripts/upcp --force

4. Wait for completion (verifies GPG signatures and applies patches).

5. Restart cPanel services:

/scripts/restartsrv_cpsrvd
/scripts/restartsrv_whostmgrd

6. Verify version again:

/usr/local/cpanel/cpanel -V

7. Re‑enable httpd and mysql:

systemctl start httpd mysql

If patching fails or breaks custom integrations:

/scripts/restore_cpanel_backup --backup=/var/cpanel/backups/pre-update

(Ensure backup exists before proceeding.)

  1. Detecting Active Exploitation: Log Analysis and Process Inspection

Given that attackers are already exploiting a related zero‑day to deploy Mirai and Sorry ransomware, you must scan for IoCs.

Step‑by‑step detection commands (Linux):

  1. Check cPanel access logs for path traversal attempts: 
    grep -E "../|%2e%2e%2f" /usr/local/cpanel/logs/access_log

2. Search for unexpected Perl processes:

ps aux | grep perl | grep -v cpanel

3. Look for Mirai‑related binaries (typical names: mirai, pnscan, zollard): 

find / -type f -executable -name "mirai" -o -name "pnscan" 2>/dev/null

4. Identify Sorry ransomware indicators (encrypted file extensions .sorry, ransom note README_SORRY.txt): 

find /home//public_html -type f -name ".sorry" 2>/dev/null
find / -name "README_SORRY.txt" 2>/dev/null

5. Check for unusual outbound connections (common C2 ports 23, 2323, 48101): 

netstat -anp | grep -E ":23|:2323|:48101" | grep ESTABLISHED

Windows (if managing cPanel via remote admin):

No direct cPanel on Windows, but you can query a Linux server using PuTTY/plink: 

plink root@your-server "/usr/local/cpanel/cpanel -V"

4. Hardening cPanel/WHM Against Future Exploits

Beyond patching, apply these configurations to reduce attack surface.

Step‑by‑step hardening guide:

  1. Disable dangerous PHP functions (if Perl injection is a concern): In WHM → MultiPHP INI Editor → Add: 
    disable_functions = exec,shell_exec,system,passthru,proc_open,pcntl_exec
  2. Enable cPHulk brute force protection to block automated exploits: 
    /scripts/cphulkd_ctl --enable
/scripts/cphulkd_ctl --set --bruteforce=5min/3
  3. Limit API access to trusted IPs – edit /var/cpanel/conf/apache/apis.conf: 
    <Location /cpanel>
Require ip 192.168.1.0/24
</Location>
  4. Enable ModSecurity with OWASP CRS to block path traversal and code injection: 
    yum install mod_security_crs -y
systemctl restart httpd

5. Run a weekly security audit:

/scripts/cpanel_security_audit
  1. Incident Response: What to Do If Already Compromised

If you detect Mirai or Sorry ransomware artifacts, follow this containment plan.

Step‑by‑step IR checklist:

  1. Isolate the server – disconnect network or add strict firewall rules: 
    iptables -P INPUT DROP
iptables -P FORWARD DROP

2. Take forensic images of memory and disk:

dd if=/dev/sda of=/mnt/backup/disk_image.dd bs=4M status=progress

3. Kill malicious processes (identify via `ps aux` and lsof): 

kill -9 <PID>

4. Remove cron jobs added by ransomware:

crontab -u <victim_user> -r

5. Restore from clean backups – ensure backup age predates the first exploitation (check file read logs for earliest date).
6. Reset all API tokens & cPanel passwords – use WHM → Manage API Tokens.

6. Long‑Term Prediction: The Rise of Hosting‑Targeted Ransomware

The Sorry ransomware’s use of a cPanel zero‑day marks a shift: cybercriminals now weaponize control panel vulnerabilities to encrypt entire hosting environments. Expect similar flaws in Plesk, DirectAdmin, and Webmin within 12 months. Managed hosting providers will need to implement virtual patching via WAF and mandatory runtime application self‑protection (RASP). Furthermore, Mirai variants targeting cPanel will increase DDoS‑for‑hire attacks from compromised web servers, turning hosting platforms into botnet nodes.

What Undercode Say:

  • Immediate patching is non‑negotiable – the active exploitation of the zero‑day means unpatched servers will be compromised within days.
  • Defense in depth saves infrastructure – combine file integrity monitoring (e.g., AIDE), outbound firewall rules, and regular credential rotation to survive the next flaw.

Prediction:

Within six months, we will see the first “cPanel ransomware‑as‑a‑service” offering on darknet markets, pushing small hosting providers out of business. Automated patch management and immutable backups will become mandatory insurance requirements.

▶️ Related Video (70% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Hackermohitkumar Cpanel – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: