cPanel & WHM Emergency Update Fixes Critical Auth Bypass Bug

Emergency Patch Released

cPanel has issued an emergency out-of-band security update addressing a critical authentication bypass vulnerability affecting all versions of the cPanel and WebHost Manager (WHM) control panel prior to the latest release. The flaw could be exploited by unauthenticated remote attackers to gain unauthorized access to the web hosting control panel — one of the most widely deployed hosting management platforms globally.

The vulnerability is rated critical due to its low attack complexity and the complete loss of access control it enables. Because cPanel and WHM power millions of shared hosting environments, the blast radius of exploitation is significant.

What Is cPanel & WHM?

cPanel is the industry-standard web hosting control panel used by hosting providers worldwide to manage websites, email accounts, databases, DNS, and server configurations. WHM (WebHost Manager) is the reseller and server administrator interface layered on top.

Hosting providers, web agencies, and enterprises running self-managed hosting infrastructure rely heavily on these tools, making critical flaws in cPanel a high-priority target for attackers seeking to compromise large numbers of websites and customer accounts in a single operation.

Vulnerability Details

The authentication bypass allows an attacker to obtain access to a cPanel or WHM account without providing valid credentials. Based on the nature of the disclosure, the flaw likely resides in the session validation or token verification logic used by cPanel's API or web interface.

Key characteristics of the vulnerability:

• Authentication requirement: None — the vulnerability is pre-authentication
• Attack complexity: Low — can be exploited without specialized knowledge
• Privileges required: None — no prior access needed
• Scope: Full control panel access, including file manager, email, databases, and server configuration
• Affected versions: All versions prior to the emergency patch release

Successful exploitation could give attackers the ability to:

• Access, modify, or delete all website files hosted on the server
• Read sensitive configuration files, database credentials, and email
• Create new administrative accounts for persistent access
• Deploy web shells or malware to hosted websites
• Reconfigure DNS to redirect web traffic or intercept email

Who Is Affected

Any hosting provider or system administrator running an unpatched version of cPanel or WHM is at risk. Given the widespread deployment of these tools — cPanel is reported to run on hundreds of thousands of servers — the potential attack surface is enormous.

Shared hosting environments are at particular risk, as a single compromised WHM instance can expose thousands of customer accounts hosted on the same server.

Remediation

cPanel has released an emergency update and strongly urges all users to apply it immediately:

1. Update cPanel/WHM to the latest version via the update interface or by running /scripts/upcp on the server
2. Review server access logs for any suspicious authentication attempts or anomalous session activity prior to patching
3. Audit user accounts — check for any newly created accounts that were not authorized
4. Enable two-factor authentication (2FA) on all administrative accounts as a defense-in-depth measure
5. Restrict WHM access by IP address if remote access is not needed from all locations

References

• BleepingComputer: cPanel, WHM emergency update fixes critical auth bypass bug
• cPanel Security Advisories