Action Required: Critical cPanel Security Vulnerability

Jade @ Absolute Hosting

Jade @ Absolute Hosting

Absolute Hosting Representative
Company Rep
Company Rep
Joined
Nov 17, 2015
Messages
2,007
Reaction score
1,452
Location
Centurion
Please be advised of a newly disclosed critical security vulnerability in cPanel/WHM authentication.

cPanel has published details here:

https://support.cpanel.net/hc/en-us/articles/40073787579671-Critical-Vulnerability-with-cPanel-WHM-Login-Authentication

What this means
This vulnerability may allow unauthorized access attempts against the cPanel/WHM login services.

Recommended immediate action
To reduce risk, we recommend temporarily restricting public access to cPanel/WHM services until you have patched cPanel.
This typically involves blocking external access to the following ports: 2082 / 2083 (cPanel), 2086 / 2087, (WHM) 2095 / 2096 (Webmail)

Update cPanel as per below
/scripts/upcp --force

cPanel have released the following patch versions

  • 11.110.0.97
  • 11.118.0.63
  • 11.126.0.54
  • 11.132.0.29
  • 11.136.0.5
  • 11.134.0.20
Thanks to our partners at Axxess for the early heads-up regarding this Vulnerability
 
@Went_For_Beer we have already patched our own shared servers and clients who have VPS servers that are self managed would need to patch their own as we have no access to client's vps servers.

Edit, see update on this thread advising that patching on our shared servers was completed.

Jade @ Absolute Hosting

Thread 'Limited Access to cPanel Servers'

Please be advised that we have limited access to specific cPanel ports (2082 / 2083 (cPanel), 2086 / 2087, (WHM) 2095 / 2096 (Webmail)) on our shared cPanel servers whilst urgent patching is completed.

This is required to address a Critical cPanel Security Vulnerability as detailed below.

Updates will be provided as soon as possible.
 
More information can be found below, a CVE rating of 9.8 has been assigned to this so patch your servers if not done already.

CVE-2026-41940
 
It was only a matter of time, this exploit has been used to deploy a ransomware payload.

"Numerous sources told BleepingComputer that hackers have been exploiting the cPanel flaw since Thursday to breach servers and deploy a Go-based Linux encryptor for the "Sorry" ransomware. BleepingComputer was told that the ransomware uses the ChaCha20 stream cipher to encrypt files, with the encryption key protected using an embedded RSA-2048 public key."

https://www.bleepingcomputer.com/ne...w-mass-exploited-in-sorry-ransomware-attacks/
 
Rackzar said:
It was only a matter of time, this exploit has been used to deploy a ransomware payload.

"Numerous sources told BleepingComputer that hackers have been exploiting the cPanel flaw since Thursday to breach servers and deploy a Go-based Linux encryptor for the "Sorry" ransomware. BleepingComputer was told that the ransomware uses the ChaCha20 stream cipher to encrypt files, with the encryption key protected using an embedded RSA-2048 public key."

https://www.bleepingcomputer.com/ne...w-mass-exploited-in-sorry-ransomware-attacks/
Click to expand...

Yeah since it has been made public cpanel servers has been under attack.
 
Yes dont forget about the other one also :

"A new local privilege escalation vulnerability named CopyFail CVE-2026-31431 was recently disclosed. It affects almost all of the systems and allows local user to get root access on the system. The Linux distribution maintainers are busy with releasing hot-fixes."

Having kernelcare is not good enough. So run yum update -y and reboot aswell all servers just to be extra safe.
 
Hostking said:
Yes dont forget about the other one also :

"A new local privilege escalation vulnerability named CopyFail CVE-2026-31431 was recently disclosed. It affects almost all of the systems and allows local user to get root access on the system. The Linux distribution maintainers are busy with releasing hot-fixes."

Having kernelcare is not good enough. So run yum update -y and reboot aswell all servers just to be extra safe.
Click to expand...
That has already been posted

Fridge Hosting

Thread 'Heads-up: Copy Fail Linux Privilege Escalation Vulnerability'

Hi everyone,

We haven’t posted here before, but we thought this was worth sharing for anyone managing Linux servers, VPS environments, shared hosting servers, or multi-user systems.

A recently disclosed Linux local privilege escalation issue, known as Copy Fail / CVE-2026-31431, has been published:

https://copy.fail/

This is not a remote exploit on its own, but it is relevant where users, scripts, containers, websites, or other workloads can execute code on the same server.

The main concern is privilege escalation from local access to root, which makes it especially...
  • Like
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X