Skip to main content
CybersecurityVulnerability Management

cPanel Rushes Emergency Update to Fix Auth Bypass Bug

Rows of computer servers and networking equipment in a web hosting facility, with a single server terminal screen blank and…

"We regret to inform you that a critical security vulnerability has been identified in cPanel software affecting all currently supported versions," Namecheap said.

Namecheap's temporary port blocks and public alert

Namecheap reacted to the discovery by temporarily blocking access to ports 2083 and 2087, the ports used by cPanel and WHM respectively, to protect customers while patches were issued. The provider described the flaw as an "authentication login exploit that could allow unauthorized access to the control panel." Namecheap also noted the issue has not received an official identifier and did not attribute the discovery to any party.

cPanel and WHM patched versions and the emergency update command

Hours after Namecheap's notice, cPanel published a security bulletin saying the vulnerability had been addressed in specific product releases. The patched versions listed by cPanel are:

  • 11.110.0.97
  • 11.118.0.63
  • 11.126.0.54
  • 11.132.0.29
  • 11.136.0.5
  • 11.134.0.20

To install a safe version, the vendor recommends that administrators execute the command /scripts/upcp –force, which runs the cPanel update process and forces it to execute even if the system believes it already runs the latest version. cPanel also warned that servers running unsupported versions are ineligible for security updates and recommended upgrading to a supported version as soon as possible.

What an attacker with control of cPanel or WHM can do

The bulletin makes explicit why the issue is high risk. An attacker who gains access to a cPanel account can control everything within that hosting account, including websites, data, and email. The vendor lists specific malicious actions an intruder could take:

  • Plant backdoors or web shells;
  • Redirect users to malicious locations;
  • Steal sensitive files;
  • Send spam or phishing emails;
  • Collect passwords from configuration files.

Access to WHM carries still greater consequences because WHM "provides access to the entire server and all the websites it hosts." With WHM access, a threat actor could create and delete cPanel accounts, establish persistent access on the machine, and use the server for proxying traffic, spam, malware delivery, or as part of a botnet.

How hosting providers, website owners, and administrators are affected

Hosting providers: Namecheap’s decision to block ports 2083 and 2087 illustrates the tradeoff providers face between availability and containment when a widespread control-panel vulnerability appears. Providers that expose cPanel/WHM to customers must weigh temporary service restrictions against the risk of mass account compromise.

Website owners and administrators: Anyone relying on cPanel or WHM for site, mail, or database management needs to verify they are running one of the patched versions or upgrade to a supported release. The vendor's recommended command, /scripts/upcp –force, is intended to push the emergency fixes to affected systems.

Security operators and incident responders: Because no technical details have been publicly disclosed and the discovery has not been attributed, teams will need to assume active or near-term exploitation is possible and prioritize verification of patch levels across hosting fleets and customer-facing systems.

Immediate steps and open questions

The practical steps are straightforward and urgent: confirm the cPanel/WHM version in use; if it is not one of the patched releases, run the vendor-recommended update process (/scripts/upcp –force) or upgrade to a supported version that receives security updates. Servers on unsupported cPanel releases were explicitly warned to upgrade because they are ineligible for the emergency fixes.

Two facts remain salient and unanswered in the published notices: cPanel has not released technical details of the vulnerability, and the discovery has not been publicly attributed or assigned a tracking identifier. Those absences shape the remaining risk calculus: without a public technical description or tracking ID, defenders must treat the flaw as exploitable and prioritize patching accordingly.

For administrators and providers, the clock is the relevant metric: the combination of a critical authentication bypass, temporary port blocks by a major hoster, and emergency-only patches creates a narrow window in which unpatched systems are exposed. Confirm patch levels now; if you cannot, isolate or restrict access to management ports until you can.

Original story: cPanel, WHM emergency update fixes critical auth bypass bug — BleepingComputer