All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Critical Vulnerability with cPanel & WHM Login Authentication
Heads up for anyone running cPanel & WHM environments -- you may want to temporarily block ports 2083/2087 ASAP.
We've already implemented this across our shared/reseller hosting fleet as a precaution.
cPanel has today disclosed a critical authentication-related vulnerability affecting all supported versions, and as of now, no patch is available yet.
Official advisory from cPanel: https://support.cpanel.net/hc/en-us/articles/40073787579671-Critical-Vulnerability-with-cPanel-WHM-Login-Authentication
Description
A critical vulnerability was recently identified in the cPanel software regarding an authentication login exploit. This affects all currently supported versions of cPanel.Workaround
Currently, we are actively building a patch for all supported versions of cPanel/WHM to address this and ensure the integrity of the cPanel product.In the meantime, using a firewall to block access to TCP ports 2083/2087 will prevent unauthorized access, but would also restrict all other access to the control panel as well. This is currently the best option to secure your servers until the patch is ready.
If you are utilizing an unsupported version of cPanel, it is strongly recommended that you update to a supported build as soon as possible, as it is likely also affected. This way, you can receive the patch as soon as it's available.
Comments
Wow!
Should probably disable proxy domains as well in the meantime.
Yes, we noticed that too and brought it to the cPanel's team attention. They just updated their documentation a few minutes ago in light of this feedback.
For those running Litespeed, here is the command to do so:
whmapi1 set_tweaksetting key=proxysubdomains value=0 && /scripts/proxydomains remove && /scripts/rebuildhttpdconf && systemctl restart lswsNasty! We've disabled cPanel/WHM/Proxy Subdomains per their advise in the mean time.
It was just expanded to cover Webmail and Webdisk as well:
2083/2087 - SSL connections
2082/2086 - Non-SSL connections
2095/2096 - Webmail
If webdisk is enabled, include 2077/2078
The cPanel documentation has been updated to include webmail ports too: https://support.cpanel.net/hc/en-us/articles/40073787579671-Critical-Vulnerability-with-cPanel-WHM-Login-Authentication
2083/2087 - SSL connections
2082/2086 - Non-SSL connections
2095/2096 - Webmail
If webdisk is enabled, include 2077/2078
We are going to be seeing many more of these as frontier AI models are used for penetration testing.
Yep. But at the end of the day, it's for the better.
cPanel has now updated their temporary guidance -- in addition to blocking earlier mentioned ports, they are recommending stopping cpsrvd and cpdavd services altogether as a precaution.
Why the current solution is just adding cPanel ports itself? Tcp 2083 2087 is important duh.
Looks like docs updated every minutes!
Aaaah shit.
It certainly does seem like a fast moving situation, likely discovered externally and thus prompting an emergency response. cPanel patch security issues regularly but most don't get anywhere near the level of exposure this one is getting.
It’s 3AM here! Should i sleep or temp disable port 2083 2087
Well, if you want to wake up to even more work from a compromised server, then it's probably best you follow the advise cPanel have given.
Wowie
Patches released: https://support.cpanel.net/hc/en-us/articles/40073787579671-Critical-Vulnerability-with-cPanel-WHM-Login-Authentication
Sleep takes priority.
cPanel has updated the documentation with a detection bash script, to help look for indicators of compromise: https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026
@labze @Francisco systems updated?
Thanks for thinking of us! We kept on top of it and pulled updates the ~minute they said it was available.
Assuming you're on a version of cPanel that's still getting updates, you should be auto-updated by now.
Francisco
Yes. Got woken up during the night to handle this.
One of my colleagues noticed this issue on March 17 on one of our cPanel testing servers, which did not have IP-based login restrictions for WHM. It was reported to cPanel, but they didn’t take any action.
Our boys always on time.
So another price hiking for Cpanel is coming soon
@dustinc what was your Solution?? For this Hard time , cPanel team are sleeping
So the problem has existed since February 23 and was reported to cPanel, but they didn’t take any action.
Who is going to pay for this? Data loss, compromised servers, companies having to reinstall systems, all the work involved, the downtime, etc. In my opinion, cPanel should be held responsible for this. Yes, I know you’ll say companies should have backups — and that’s true — but what about the time, effort, and downtime required to rebuild servers and websites?
If I make a mistake, I am held accountable and I pay for it. Why should it be different here?
How come nobody is talking about this on the cPanel Community? I haven’t found any discussions about it. Is this being ignored or hidden?
Will anybody sue cPanel? I’m curious about this — someone should.
cPanel staff have been deleting the topics. I saw them being created, and now when I check my browser history and go back to those links, they're gone.
cPanel have a lazy attitude on a lot of matters these days. One example of many: For a while now, their forum has been inundated with spam posts which sit around for hours before being deleted. Just deleting them isn't the answer - prevent them from being created in the first place.
So, cPanel switched to claude-coding?! The CVE is damn serious for a human to miss...
Too late. My cPanel was hacked yesterday already. That's a sad story.