Actively Exploited cPanel Authentication Bypass — Detection and Remediation Guide

Introduction

A critical security vulnerability has been identified in the cPanel and WebHost Manager (WHM) software ecosystem, platforms that collectively manage a significant portion of the internet's shared hosting infrastructure. This vulnerability, an authentication bypass affecting the administrative interface, allows unauthenticated attackers to gain complete control over targeted servers.

Given that cPanel is used by millions of websites and hosting providers, the blast radius of this flaw is immense. Intelligence confirms that this issue is currently being actively exploited in the wild. For defenders, this is not a theoretical risk—it is an active incident scenario requiring immediate emergency patching and a retrospective hunt for indicators of compromise (IOCs).

Technical Analysis

Affected Products:

• cPanel & WHM versions (See specific vendor advisory for exact build ranges)
• Linux-based servers running the cpsrvd service (typically CentOS, AlmaLinux, or CloudLinux)

The Vulnerability: The flaw resides within the administrative login mechanism of the web interface (cpsrvd). By sending a specifically crafted request to the login endpoint, an attacker can bypass the standard username and password validation checks.

Attack Chain:

1. Recon: Attacker scans for ports 2083 (cPanel) and 2087 (WHM).
2. Exploitation: Attacker sends malicious HTTP request to the login URI, triggering the bypass logic.
3. Privilege Escalation: The service returns a valid session cookie or token, granting administrative access.
4. Takeover: Attacker accesses the dashboard to deface sites, inject malware, or manipulate file systems (RCE via file manager or script execution).

CVSS Score: Estimated 9.8 (Critical) – due to network exploitability, low attack complexity, and total confidentiality, integrity, and availability impact.

Exploitation Status: CONFIRMED ACTIVE EXPLOITATION. Scanning activity has been observed on the public internet.

Detection & Response

Defenders must assume that any unpatched cPanel server may have been already compromised. The following detection mechanisms focus on identifying the successful bypass and subsequent post-exploitation activity.

SIGMA Rules

The following rules detect potential exploitation attempts via web logs and the immediate execution of shells via the web server process, which is a common post-exploitation step for attackers who gain dashboard access.

---
title: Potential cPanel Authentication Bypass Exploitation
id: 550d9a23-cpanel-auth-bypass-0f72
status: experimental
description: Detects potential exploitation of the cPanel auth bypass by identifying successful administrative logins (200 OK) to protected endpoints without a preceding POST to the login page or with anomalous User-Agents.
references:
  - https://support.cpanel.net/hc/en-us/articles/
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.initial_access
  - attack.t1078
logsource:
  category: webserver
  product: apache
detection:
  selection_uri:
    cs-uri-stem|contains:
      - '/login/'
      - '/cpsess'
  selection_status:
    sc-status: 200
  filter_legit:
    cs-method: POST
  condition: selection_uri and selection_status and not filter_legit
falsepositives:
  - Legitimate session refreshes or API calls
level: high
---
title: cPanel Web Server Spawning System Shell
id: 7a3f1c82-cpanel-webshell-9e4b
status: experimental
description: Detects suspicious child process execution where the web server (httpd/cpsrvd) spawns a shell (bash/sh), indicating potential RCE following a takeover.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith:
      - '/httpd'
      - '/cpsrvd'
    Image|endswith:
      - '/bash'
      - '/sh'
      - '/perl'
    CommandLine|contains:
      - 'whoami'
      - 'id'
      - 'curl'
      - 'wget'
  condition: selection
falsepositives:
  - Legitimate administrative CGI scripts (rare in modern cPanel configs)
level: critical

KQL (Microsoft Sentinel / Defender)

This query hunts for successful logins to the WHM (port 2087) or cPanel (port 2083) interfaces that result in a 200 OK status. In an auth-bypass scenario, attackers often directly access the dashboard or APIs. We also look for the lack of a typical referrer or a suspicious User-Agent.

Syslog
| where ProcessName contains "httpd" or SyslogMessage contains "cpsrvd"
| parse SyslogMessage with * "Client: " ClientIP " " * "Method: " Method " " * "Path: " Path " " * "Status: " Status * 
| where Status == "200"
| where Path has "/frontend/" or Path has "/-api/"
| where not(Method has "POST") or Path has "create_user_session"
| extend TimeGenerated, Computer, ClientIP, Path, UserAgent = extract("User-Agent: ([^"]+)", 1, SyslogMessage)
| project TimeGenerated, Computer, ClientIP, Path, UserAgent, SyslogMessage
| summarize count() by Computer, ClientIP, Path
| order by count_ desc

Velociraptor VQL

This artifact hunts for webshells or suspicious modifications within the cPanel document roots and checks for active network connections established by the web server user to external IPs (C2 beacons).

-- Hunt for suspicious file modifications in cPanel roots
SELECT FullPath, Mtime, Size, Mode
FROM glob(globs='/*/public_html/**/*.php')
WHERE Mtime > now() - timedelta(hours=24)
   AND Size < 5000
   AND read_file(filename=FullPath) =~ 'eval\(|base64_decode|shell_exec'

-- Hunt for outbound connections from web server
SELECT Fd.RemoteAddress, Fd.RemotePort, Pid, Name, CommandLine
FROM netstat()
WHERE Name =~ 'httpd' OR Name =~ 'cpsrvd'
  AND Fd.State =~ 'ESTABLISHED'
  AND Fd.RemoteAddress NOT IN ('127.0.0.1', '::1')

Remediation Script (Bash)

This script checks the current cPanel version, applies the latest security updates, and checks for recent modifications in system-critical directories.

#!/bin/bash

# cPanel Emergency Remediation Script
# Author: Security Arsenal

echo "[+] Checking current cPanel version..."
/usr/local/cpanel/cpanel -V

echo "[+] Forcing an update to the latest release tier..."
# This ensures the latest security patches are pulled immediately
/scripts/upcp --force

echo "[+] Checking for recently modified PHP files in user directories (potential webshells)..."
# Finds PHP files modified in the last 24 hours
find /home/*/public_html -name "*.php" -mtime -1 -ls

echo "[+] Restarting cPanel services to ensure patches are loaded..."
/scripts/restartsrv_cpsrvd
/scripts/restartsrv_httpd

echo "[!] Manual review required: Check /usr/local/cpanel/logs/access_log for suspicious IP access."
echo "[+] Remediation complete."

Remediation

Immediate Action Required:

1. Patch Immediately: Update cPanel & WHM to the latest secure version available from the vendor. If automatic updates are not enabled, run /scripts/upcp manually via SSH.
2. Restrict Access: As a defensive-in-depth measure, restrict ports 2083 (cPanel), 2087 (WHM), 2096 (Webmail), and 2078 (WebDisk) to trusted management IP addresses via your firewall (iptables, firewalld, or cloud security group).
3. Audit Logs: Review /usr/local/cpanel/logs/access_log and /usr/local/apache/logs/error_log for the past 7-30 days. Look for successful access (200 OK codes) from unknown IPs or User-Agents that do not match your internal tools.
4. Credential Reset: Once patched, force a password reset for all cPanel, root, and reseller accounts. If the attacker had administrative access, they may have created backdoor accounts or modified SSH keys.

Official Vendor Resources:

• cPanel Security Advisory: https://documentation.cpanel.net/display/ALD/Security+Advisories

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub