Full Report
A critical vulnerability affecting all but the latest versions of cPanel and the WebHost Manager (WHM) dashboard could be exploited to obtain access to the control panel without authentication. [...]
Analysis Summary
# Vulnerability: cPanel and WHM Critical Authentication Bypass
## CVE Details
- **CVE ID:** Not yet assigned (Pending Tracking ID)
- **CVSS Score:** 10.0 (Critical - Estimated based on impact)
- **CWE:** CWE-287 (Improper Authentication)
## Affected Systems
- **Products:** cPanel & WebHost Manager (WHM)
- **Versions:** All versions prior to the patched releases (11.110.x through 11.134.x)
- **Configurations:** Systems running any currently supported or unsupported version of cPanel/WHM with exposed management ports (typically 2083, 2087).
## Vulnerability Description
The flaw is a critical authentication bypass vulnerability that allows an unauthenticated remote attacker to gain administrative access to the cPanel and WHM control panels. While granular technical details have not been released by the vendor to prevent widespread exploitation, the flaw is described as a "login exploit." It bypasses the standard credential verification process, granting the attacker the same privileges as the account owner or server administrator.
## Exploitation
- **Status:** Vulnerability confirmed; high potential for exploitation given the emergency nature of the vendor's bulletin and proactive port blocking by major hosting providers (e.g., Namecheap).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Total (Full access to website files, databases, emails, and server configuration).
- **Integrity:** Total (Ability to modify websites, plant web shells/backdoors, and alter server-level settings).
- **Availability:** Total (Ability to delete accounts, shut down services, or lock out legitimate administrators).
## Remediation
### Patches
The vendor has released emergency updates. Administrators must upgrade to at least one of the following versions:
- 11.110.0.97
- 11.118.0.63
- 11.126.0.54
- 11.132.0.29
- 11.134.0.20
- 11.136.0.5
To force the update, execute the following command via CLI:
`/scripts/upcp –-force`
### Workarounds
- **Port Blocking:** Temporarily block external access to ports **2083** (cPanel) and **2087** (WHM) via firewall/ACLs until the patch is applied.
- **IP Whitelisting:** Restrict access to the management dashboard to known, trusted IP addresses only.
## Detection
- **Indicators of Compromise:** Monitor for unusual logins in cPanel/WHM access logs from unrecognized IP addresses, especially those bypassing traditional MFA or password prompts. Check for unauthorized new administrator accounts or unexpected file modifications in web roots.
- **Detection methods and tools:** Audit `/usr/local/cpanel/logs/login_log` and `/usr/local/cpanel/logs/access_log` for anomalies.
## References
- **Vendor Advisory:** hxxps[://]support[.]cpanel[.]net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026
- **Namecheap Status Update:** hxxps[://]www[.]namecheap[.]com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026/
- **Original News Source:** hxxps[://]www[.]bleepingcomputer[.]com/news/security/cpanel-whm-emergency-update-fixes-critical-auth-bypass-bug/