cPanel Authentication Bypass Zero-Day

Severity: Critical

CVSS Score: 9.8 (Critical)

Status: Actively Exploited Zero-Day

Affected Platforms: cPanel & Web Host Manager (All supported versions prior to patched releases)

‍

Overview

A critical authentication bypass zero-day vulnerability affecting cPanel and WebHost Manager (WHM) has been confirmed under active exploitation in the wild. The flaw enables unauthenticated remote attackers to bypass login controls and obtain administrative access to hosting servers without valid credentials.

Evidence indicates adversaries exploited the vulnerability before public disclosure and patch availability, significantly increasing exposure across hosting environments worldwide.

Because cPanel acts as the centralized management layer for websites, email infrastructure, databases, and user accounts, successful exploitation can lead to complete server compromise.

Technical Details

The vulnerability exists within multiple authentication paths used during login session handling. Improper validation allows attackers to circumvent authentication mechanisms entirely.

Affected versions include:

• cPanel/WHM 11.110.0 → fixed in 11.110.0.97
• cPanel/WHM 11.118.0 → fixed in 11.118.0.63
• cPanel/WHM 11.126.0 → fixed in 11.126.0.54
• cPanel/WHM 11.132.0 → fixed in 11.132.0.29
• cPanel/WHM 11.134.0 → fixed in 11.134.0.20
• cPanel/WHM 11.136.0 → fixed in 11.136.0.5
• WP Squared 11.136.1 → fixed in 11.136.1.7

Why It Matters

cPanel manages nearly every operational component of hosted infrastructure. Once compromised, attackers may obtain:

• WHM root-level server control
• Access to all hosted websites
• Email account takeover
• Database access
• Malware deployment capability
• Persistence mechanisms
• Use of servers for lateral attacks or botnet activity

This transforms a single exposed management interface into an organization-wide compromise point.

Indicators of Potential Compromise

Organizations should watch out for:

• Unexpected WHM administrator sessions
• New admin accounts created without approval
• Unauthorized changes to hosting accounts
• Unknown cron jobs or scheduled tasks
• Suspicious outbound traffic from hosting servers
• Modified authentication or session logs
• Sudden website redirects or injected script

Attack Surface Exposure

High-risk environments include:

• Public-facing hosting servers
• Managed hosting providers
• Shared hosting infrastructures
• Organizations self-hosting email or web services via cPanel

Because exploitation requires no credentials, internet exposure alone is sufficient risk.

Recommendations

Organizations should treat this event as a control-plane security incident, not merely a software bug by carrying out the following:

• Remove management panels from public internet exposure
• Implement Zero Trust administrative access
• Deploy attack surface management monitoring
• Enforce centralized logging to SIEM
• Conduct continuous external asset discovery
• Segment hosting infrastructure from internal networks

Immediate remediation and proactive threat hunting is strongly advised.