New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Critical Vulnerability with cPanel & WHM Login Authentication
This discussion has been closed.
Comments
What happened? if your server was auto patching daily which i think is normal it should have downloaded the patch.
Move to DirectAdmin - problem solved.
https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026
Don't think that long until something happens there.
This seems unrelated, but I just banned a SporeStack token for trying to hack into someone's cPanel yesterday.
These were the logs:
We are using a shared hosting. Some websites hosted with them, their cPanel got hacked and we didn't make any backup yet.
Can someone please confirm whether the bypass check server uses Python?
We are using ModSecurity to block any Python requests to our servers, and in our logs there are far too many blocked requests since this issue appeared.
From what I can see, our servers are completely fine. The servers where we did not have this ModSecurity rule in place were compromised. Once we added the rule, no further issues occurred.
cPanel collects (loots) so much money from their users and end-users but it seems to they fail to invest it in security. Now they've got one more reason to increase the price by minimum 15% in 2027
How? If you're checking useragents or something that's pointless.
good ol carriage return and line feed strikes again? can't make this shit up if i tried
i wonder how long this was working before "being reported"
do eu data protection complain, those mfs got cash to hire competent devs to secure their code.
but ditch this crap, it's still an attack vector on your server
cPanel should pay for all this problem because lots of data was exposed , where is GDPR ?
I just want to say
It happen from August 2025 .
So we can say it must be hacked the server more than we know.
Why I know? Because I found it at September 2025 in one of my user.
Luckily I'm limiting port access for 2086 2087 and ssh port. So I'm patching my user clean up and everything okay.
I was patching with a root access on every bruteforce in cpanel and auto ban every ip whoever doing wrong password.
This is not what happened, has nothing to do with "claude coding", this issue has existed in cPanel since way before, as they stated this "does not affect just some it affects all! update". This has been there for all these years, way before AI became a thing.
We've had to help quite a few customers restore their VM's from backups, and luckily on 28th moment this was disclosed we started first by locking :2087 :2083 until the patch was released and moment it was we updated our fleet.
Unfortunately the emails we sent out to our clients fell on deaf ears until 30th+ when they all of a sudden wondered why their site is not working, then you open console to give them the bad news "boot not found", and you just know the rest of this..
It's unfortunate, If you were on Shared hosting I would assume they have a backup but if you are like many others, missed those messages (I mean I hope they sent you a urgent email, we sent out one, then a reminder, along with even a reminder for the CVE affecting the linux kernels). However, I do feel bad for you, we've been having to see people devastated from this one, those who do not have backups
My message to everyone still now is this, If you haven't been HACKED and you havent updated, UPDATE NOW, its not a matter of IF, its WHEN. They are actively scanning for :2087 to just apply this exploit to see the world burn.
The problem was discovered in February, which was odd apparently Knownhost knew about it or so I read, I won't stake my reputation on it.
It's a bit lame if they knew this and didn't disclose, but the problem has existed way before February 23rd, You can apply this hack to even the older versions of cPanel, this one has been there for a while.
https://support.cpanel.net/hc/en-us/articles/40229402602519-Security-CVE-2026-23918
Yeah we saw this one, couldnt believe we were firing EA4 updates and another upcp! so close to the other one but luckily this one is not as alarming in the sense its not made public.. Its the season of CVE apparently.
Anyway, I have three servers whose databases and website files have been deleted.
Here we go again? Received 15 minutes ago
Easy peasy — install Cursor/Claude on a VPS with cPanel, tell them to dig into the server and look for cPanel vulnerabilities... have fun. Even ChatGPT, after I asked it to search for cPanel vulnerabilities, told me it could help analyze them, but that doing so against systems without permission would be illegal.
We wanted AI, now we have AI. It’s just a matter of time, and I guarantee it’s going down not the AI because of the AI. have fun.
Wow!
Thanks!
There will also be releases for CloudLinux, WHMCS, ApisCP and Blesta in the coming weeks.
The vulnerability has been present since cPanel 11.40, which was released over a decade ago. It is, however, surprising that it managed to make it this far without being discovered.
apologies for the modded quote
I found malware files in most of my cPanel accounts today. I have removed all infected files and updated cPanel/WHM to the latest version.
This is a very serious security concern in the history of cPanel/WHM!
only ai i asked for was in games and/or bots
This one looks serious. Has anyone here already patched production servers
Given patches have been out for a while, I certainly hope so... otherwise those servers are likely hosed by now.
Does RackNerd have any plans to offer non-cPanel choices in shared hosting (Black Friday or otherwise)?
Another one:
We are writing to let you know that a cPanel & WHM security patch is expected to be released on Wednesday, May 13, 2026 at 1:00pm EST.
This release addresses multiple vulnerabilities across versions of cPanel & WHM, including fixes for the following vulnerabilities rated up to High severity.
CVE-2026-29205
CVE-2026-29206
CVE-2026-32991
CVE-2026-32992
CVE-2026-32993
All vulnerabilities were either responsibly disclosed by external researchers or identified internally by our security team. At this time, there are no known exploits or proof-of-concept code in the wild. To help protect customers prior to patch availability, technical details about vulnerabilities will be released alongside the patches.
Patch & Affected Versions
The patch will be available on May 13 at 1:00pm EST and will be distributed through the standard cPanel automatic update process and through the manual update process. We strongly recommend performing a manual update once the patch is made available.
Versions Impacted:
86, 94, 102, 110, 110 CL6, 118, 124, 126, 130, 132, 134, 136, 136 (WP2)
Prepare Now
Identify affected servers. Review your servers on the affected versions above.
Check the update configuration. For servers where automatic updates are disabled or version-pinned, review /etc/cpupdate.conf now so there are no delays when the patch lands.
Brief your team. If your environment requires a maintenance window, notify the relevant people so they are ready to act.
Manual update. To update impacted servers before an automatic update is triggered, run /scripts/upcp once the patch is made available.
Note for CloudLinux 6 users. Before manually updating, set the update tier to the cl6110 branch
Watch for a follow-up email with exact patched versions and a link to all technical details in the support article.
The industry is seeing a sustained rise in discovered vulnerabilities, and AI is accelerating the pace at which they are found and exploited. We are responding by strengthening how we identify, validate, and act on security reports. You will hear from us more frequently as our processes evolve. This is intentional. We believe clear, timely communication is part of how we keep you protected.
We will follow up the moment the patch is live with full details and remediation steps.
Please reach out to your account manager or our support team, if you have any questions or need further guidance.
Thank you for your continued partnership.
Best regards,
Your cPanel Security Team