cPanel has published security patches that address a vulnerability on multiple control panel authentication routes that, if exploited, could allow an attacker to take control of server management software. The corrected versions are 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.136.0.5 and 11.134.0.20., and the company warns that all currently supported launches were at risk until the update was implemented.
cPanel, for the time being, has not disclosed technical details of the failure, a practice that is often reserved until most servers have the patch to reduce the risk of mass exploitation. This lack of technical information increases the urgency for managers: when the exact vector is not known, the only reliable mitigation is to update as soon as possible and limit access to management interfaces.
The hosting provider Namecheap confirmed that the problem is related to a login explosion that could allow unauthorized access to cPanel and WHM, and as a temporary measure blocked traffic to TCP 2083 and 2087 ports (HTTPS for cPanel and WHM). Namecheap further explained that it applied the correction to its Reseller and Stellar Business servers and is deploying the patch in the rest of its infrastructure; until the patch is installed, port blocks can restrict customers' access to their control panels. For more information on cPanel practices and documentation, see your official documentation at https: / / docs.cpanel.net and to check or report from the supplier it is appropriate to review Namecheap's assistance in https: / / www.namecheap.com / support / knowledge /.
What is the real risk and why it should matter to you: cPanel is the management interface for millions of websites; an authentication commitment can result in access to hosting accounts, DNS modifications, malware injection on websites, certificate and credentials theft, or deployment of cryptominers and backdoors that spread between accounts on shared servers. For sites or companies that depend on shared hosting or reseller, the risk is especially high because a compromised server can affect multiple customers.
What administrators should do immediately: first, check the cPanel / WHM version that runs on the server and apply the official patch as soon as possible; the secure versions are indicated above. If your supplier has not yet applied the patch and allows it to be configured, limit access to the administration ports (2082 / 2083 / 2086 / 2087) by firewall or permitted lists, and consider blocking them until the correction is confirmed. Activate or verify additional protection mechanisms such as cPHulk (brute force protection) and authentication of two factors in administrative accounts; the cPanel 2FA guide is useful as a reference in https: / / docs.cpanel.net / knowledge. It is also recommended to rotate administrative credentials and API keys, and force passwords to change if there was any sign of uncommonly accessible access.
How to detect a possible intrusion: review the system authentication log (e.g. / var / log / auth.log in Debian / Ubuntu or / var / log / secure in CentOS / RHEL) and cPanel / WHM records on the server in search of log-in from unknown IPs or atypical times. Check the recent creation of accounts, user changes and permissions, critical file modifications (such as site configuration files or crontabs), and unusual persistent processes. If there is a suspicion of commitment, make a forensic capture of the discs and memory before applying drastic changes, and consider restoring from full backups if integrity is compromised.
Communication and mitigation at the supplier level: host administrators should quickly inform their customers about the actions taken and, if applicable, coordinate the temporary blocking of administration ports or the maintenance scheduled to apply the patch. Keep an eye on public cPanel updates and the possible allocation of a CVE identifier in the next few days, and monitor lists of vulnerabilities and official bulletins (e.g., in https: / / cve.mitre.org or the security pages of cPanel).
In short, update cPanel / WHM to the corrected versions is the priority action followed by restrictions on access to administrative interfaces, strengthening of multifactor authentication, rotation of credentials and forensic analysis of log to detect abnormal activity. Coordination with the hosting provider and transparency with users complete a responsible response to an authentication vulnerability that, by its nature, can have high impact on shared hosting environments.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...