Resolved cPanel Zero Day Exploit - Network wide protections in place for cPanel and WHM logins/ports

[KH-JonathanKW]

IMPORTANT – Please read immediately

cPanel announced that a zero-day authentication/privilege escalation bug that affects almost all known (both EoL and supported) cPanel versions was discovered a short while ago and successful exploits have been seen in the wild.

At this time, a limited scope of information is available about the bug and the cPanel team is actively working on a patch. Cpanel’s official article can be found at https://support.cpanel.net/hc/en-us...rability-with-cPanel-WHM-Login-Authentication

Due to the potential nature of this issue and out of an abundance of caution, we’ve begun blocking WHM/cPanel login ports across the KnownHost network (including ports 2082, 2083, 2086, and 2087). The blocks cannot be removed/modified per server/customer and will be removed once suitable patches have been released or cPanel has more information available.

We realize that this type of immediate change affects customer access, but want to ensure that all servers remain safe while cPanel investigates further as necessary.

 

[KH-JonathanKW]

UPDATE

This exploit has been expanded to cover cPanel webmail ports 2095/2096.

These are now currently blocked at the network level.

EDIT: This includes webdisk ports 2077 and 2078

 

[b3t0]

Thanks.

 

[VAGDesign]

Thanks, I opened a ticket cause it's the first time I wouldn't login on WHM while websites worked fine...

 

[KH-JayP]

UPDATE:
Our team continues to work directly with cPanel on the release of a security patch. As soon as one is available, we will begin updating servers. Network blocks for cPanel, WHM, Webmail, and Webdisk ports remain in place at this time.

Thank you for your continued patience.

 

[KH-DanielP]

UPDATE:

Patches have been released by cPanel to address the issue. We are in the process of rolling out these updates to all managed customers. If you are an unmanaged customer running cPanel then you'll want to SSH into your system and execute /scripts/upcp to pull the latest version.

We anticipate this process is going to take much of the afternoon and into the night as thousands of machines need to receive the patches before we can open the network up.

We will continue to post regular updates as we have them.

 

[KH-DanielP]

UPDATE:

We're continuing to push patches out across the network to all impacted customer VM's. It's too early to determine when we will be able to open the network ports up but we will keep everyone posted.

 

[KH-JayP]

UPDATE:

Staff continue to make their way through the network, applying the security patch. Thank you again for your extended patience

 

[rkrc]

One of my machine at other host is working for good with cpanel. How soon will this work as right now I am in the middle of transition where lots of website were moved to my new cpanel servers.

 

[thomz82]

sorry, can i know the ETA ? ( possible 5 hours ? ) i need to up webmail (web access) badly, clients keep asking me already

 

[KH-DanielP]

UPDATE:

We have pushed out patches to the majority of our network to mitigate the exploit. As such we've restored access to the cPanel ports that were previously blocked.

Our team will continue to work to mitigate any edge case systems remaining on our network. We do appreciate everyone's patience and understanding.

 

[wpharbor]

Thank you!

 

[rkrc]

Thanks a lot!

I would like to take this opportunity to express my sincere and deeper appreciation for the exceptional support and service your team has consistently provided. In an industry where reliability, responsiveness, and technical competence are critical, your organization has demonstrated all three with remarkable consistency.

What truly stands out is your proactive approach, prompt response times, and the professionalism with which every query or concern is handled. Whether it is routine assistance or addressing time-sensitive matters, your team has always ensured that solutions are delivered efficiently and with clarity.

Your infrastructure stability, coupled with dependable support, has played a vital role in ensuring smooth and uninterrupted operations on our end for more than a decade. It is reassuring to work with a provider that not only understands the technical requirements but also values long-term relationships and customer trust.

We genuinely value this association and look forward to continuing our collaboration. Please accept our appreciation for your dedication, commitment, and the high standards of service you consistently maintain.

 

[rkrc]

I always consider myself to be very honest, dedicated and always trying to offer best of services from last 26 years but I believe there is lot to learn from you.

 

[JCLake]

Thank you for the dedicated support of your staff. Having cPanel down was a challenge, although I was able to get my code modifications done using FTP and FileZilla!

 

[webspace]

Since cPanel has indicated that the zero day was seen being exploited "in the wild" does KnownHost have any insights into what evidence a successful exploit might leave behind?

I've checked cpanel access_logs and every access attempt appears to be blocked, but it isn't clear whether a successful exploit would "fail" in the access_logs while still allowing an attacker to exfiltrate data. While I recognize cPanel should not reveal the details of the exploit itself, it seems appropriate that they provide information about how to audit servers for potential compromise.

 

[KH-DanielP]

Since cPanel has indicated that the zero day was seen being exploited "in the wild" does KnownHost have any insights into what evidence a successful exploit might leave behind?

I've checked cpanel access_logs and every access attempt appears to be blocked, but it isn't clear whether a successful exploit would "fail" in the access_logs while still allowing an attacker to exfiltrate data. While I recognize cPanel should not reveal the details of the exploit itself, it seems appropriate that they provide information about how to audit servers for potential compromise.

Howdy,

Everything logged in the cPanel access_log and session_log file is accurate. If you have no abnormal root sessions then overall you're fine. Now that patching has all but wrapped up we're re-evaluating all servers and their logs across our network to identify any of them that may have been accessed.

Keep in mind, out of our entire network of thousands of servers, maybe 30~ overall show signs of access attempts, so thankfully as bad as the exploit is, the scope is fairly small.

Also, at least on our network and the cases I've reviewed, any exploit has amounted to "let me see if this works" and then no other changes/attempts past that. After a thorough review we'll reach out to anyone impacted directly, but again I've seen no signs of any active compromise, injected payload or anything other than confirming access.

It's always good to be vigilant and we're going to continue to do so as well, and should anything drastic change we'll let you know.

 

[webspace]

For servers that are self managed (or we want to run checks for our own peace of mind), it would be helpful to know what common indicators those ~30 servers show, i.e. what should I grep access_log and session_log files for?

Again, this would ideally be information cPanel is providing since they presumably have the broadest sampling size, but I'm not optimistic that will happen.

 

[KH-DanielP]

For servers that are self managed (or we want to run checks for our own peace of mind), it would be helpful to know what common indicators those ~30 servers show, i.e. what should I grep access_log and session_log files for?

Again, this would ideally be information cPanel is providing since they presumably have the broadest sampling size, but I'm not optimistic that will happen.

Since other parties have started releasing additional information and a POC (I won't share here)

Here's some sample log lines to look for

<IP> - - [04/12/2026:18:21:57 -0000] "GET / HTTP/1.1" 200 0 "-" "python-requests/2.28.1" "-" "-" 2087
<IP> - - [04/12/2026:18:21:57 -0000] "GET /login/ HTTP/1.1" 401 0 "-" "python-requests/2.28.1" "-" "-" 2087
<IP> - root [04/12/2026:18:21:58 -0000] "GET /json-api/loadavg HTTP/1.1" 403 0 "-" "python-requests/2.28.1" "b" "-" 2087
<IP> - root [04/12/2026:18:21:59 -0000] "GET /cpsess4825961039/json-api/myprivs HTTP/1.1" 200 0 "-" "python-requests/2.28.1" "s" "-" 2087
<IP> - root [04/12/2026:18:21:59 -0000] "GET /cpsess4825961039/json-api/version HTTP/1.1" 200 0 "-" "python-requests/2.28.1" "s" "-" 2087
<IP> - root [04/12/2026:18:22:00 -0000] "GET /cpsess4825961039/websocket/Shell?rows=24&cols=200 HTTP/1.1" 200 0 "-" "-" "s" "-" 2087

loadavg getting a 403, myprivs getting a 200 and then obviously the websocket for the root terminal in WHM getting a 200

If you see those, then you can check your logs for anything else initiated by that IP including sessions etc.

 

[webspace]

Thanks Daniel!

cPanel has also posted a script that automates the check:

https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026