Back to Intelligence

CVE-2024-10928: cPanel Unauthenticated RCE — Detection and Remediation Guide

SA
Security Arsenal Team
May 10, 2026
5 min read

cPanel has released security updates addressing three critical vulnerabilities in its web hosting management platform. The most severe of these, CVE-2024-10928 (CVSS 9.8), allows for unauthenticated remote code execution (RCE). Given cPanel's ubiquity in web hosting environments, this flaw represents a high-risk vector for complete server compromise.

Defenders must treat this as a critical patching event. While active exploitation has not yet been reported at the time of this advisory, the nature of unauthenticated RCE in internet-facing services typically leads to rapid weaponization by automated botnets.

Technical Analysis

This advisory addresses three distinct vulnerabilities within the cpsrvd service, the underlying daemon handling cPanel and WHM requests.

Affected Products:

  • cPanel & WHM software versions 11.109.x, 11.108.x, and 11.106.x.

CVE Details:

  • CVE-2024-10928 (CVSS 9.8 - CRITICAL): Remote Code Execution.

    • Component: cpsrvd.
    • Impact: An unauthenticated attacker can execute arbitrary code on the server.
    • Attack Chain: The attacker sends a malicious request to the cpsrvd service (port 2083/2087). Improper input handling or deserialization leads to code execution in the context of the service. This bypasses authentication entirely.

  • CVE-2024-10926 (CVSS 6.7 - HIGH): Privilege Escalation.

    • Component: cpsrvd.
    • Impact: Allows an authenticated user to elevate privileges, potentially gaining root access.
    • Attack Chain: A low-privileged user exploits a logic flaw in cpsrvd to perform actions reserved for the root user.

  • CVE-2024-10924 (CVSS 5.3 - MEDIUM): Information Disclosure.

    • Component: cpsrvd.
    • Impact: Allows attackers to read arbitrary files on the system.
    • Attack Chain: An attacker exploits a path traversal or directory listing vulnerability via cpsrvd to access sensitive files (e.g., configuration files, SSH keys).

Exploitation Status: Currently, there are no confirmed reports of in-the-wild exploitation. However, the release of patches provides the blueprint for researchers and threat actors to develop reverse-engineered exploits. The presence of an unauthenticated RCE makes immediate patching the only reliable mitigation.

Detection & Response

Detecting exploitation of these vulnerabilities relies heavily on monitoring the behavior of the cpsrvd process. Since CVE-2024-10928 allows unauthenticated code execution, the most reliable indicator is the parent process cpsrvd spawning unexpected child processes (e.g., shells, perl, or python) or making unexpected outbound network connections.

Sigma Rules

YAML
---
title: Potential cPanel RCE - cpsrvd Spawning Shell
id: 89f1c2b3-4d5e-6f78-9a0b-1c2d3e4f5a6b
status: experimental
description: Detects potential exploitation of CVE-2024-10928. The cPanel service (cpsrvd) spawning a shell is a strong indicator of Remote Code Execution.
references:
  - https://securityaffairs.com/191931/security/new-cpanel-vulnerabilities-could-allow-file-access-and-remote-code-execution.html
author: Security Arsenal
date: 2025/04/07
tags:
  - attack.execution
  - attack.t1059.004
  - cve.2024.10928
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith: '/cpsrvd'
    Image|endswith:
      - '/bash'
      - '/sh'
      - '/zsh'
      - '/fish'
  condition: selection
falsepositives:
  - Legitimate administrative scripts executed by cPanel administrators (rare)
level: critical
---
title: Potential cPanel RCE - cpsrvd Spawning Interpreters
id: a1b2c3d4-e5f6-7890-1234-567890abcdef
status: experimental
description: Detects cpsrvd spawning interpreters like Perl or Python, often used in webshells or RCE payloads targeting cPanel.
references:
  - https://securityaffairs.com/191931/security/new-cpanel-vulnerabilities-could-allow-file-access-and-remote-code-execution.html
author: Security Arsenal
date: 2025/04/07
tags:
  - attack.execution
  - attack.t1059.006
  - cve.2024.10928
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith: '/cpsrvd'
    Image|endswith:
      - '/perl'
      - '/python'
      - '/python3'
      - '/php'
  condition: selection
falsepositives:
  - Legitimate cPanel maintenance scripts
level: high

KQL (Microsoft Sentinel / Defender)

This query hunts for process creation events where the parent process is cpsrvd but the child process is not a standard cPanel subprocess. This assumes Linux logs are ingested via Syslog or CEF into the Syslog table.

KQL — Microsoft Sentinel / Defender
Syslog
| where ProcessName != "" and ParentProcessName != ""
| extend ParentProcessName = tostring(ParentProcessName)
| where ParentProcessName contains "cpsrvd"
| where ProcessName in ("bash", "sh", "perl", "python", "python3", "php", "nc", "wget", "curl")
| project TimeGenerated, HostName, ProcessName, ParentProcessName, ProcessID
| summarize count() by ProcessName, HostName
| order by count_ desc

Velociraptor VQL

This artifact hunts for processes currently running on the endpoint where the parent is cpsrvd. This is useful for triaging a server suspected of being compromised.

VQL — Velociraptor
-- Hunt for suspicious child processes of cpsrvd
SELECT Pid, Name, CommandLine, Exe, Username, Parent.Pid AS ParentPid, Parent.Name AS ParentName
FROM pslist()
WHERE Parent.Name =~ 'cpsrvd'
  AND Name NOT IN ('cpsrvd', 'cpanellogd', 'tailwatchd', 'spamd', 'exim', 'dovecot', 'httpd', 'nginx')

Remediation Script (Bash)

This script verifies the current cPanel version and applies the necessary security updates.

Bash / Shell
#!/bin/bash
# cPanel Security Update Script for CVE-2024-10928
# Check current version
echo "Checking cPanel version..."
/usr/local/cpanel/cpanel -V

# Check for updates (upcp)
echo "Applying security updates..."
/usr/local/cpanel/scripts/upcp --force

# Verify update success
echo "Verifying update..."
if [ $? -eq 0 ]; then
    echo "Update completed successfully."
    /usr/local/cpanel/cpanel -V
else
    echo "Update failed. Please run manually."
    exit 1
fi

Remediation

The only effective remediation for these vulnerabilities is to upgrade to the latest secure versions released by cPanel. Workarounds are not practical due to the nature of the flaws (input validation in the core service).

Required Updates:

SQL
Update to one of the following versions or later:
  • 11.109.9999.119
  • 11.108.0.31
  • 11.106.0.17

Action Steps:

  1. Verify Version: Log in to WHM via SSH or the web interface and check "Current Version" in the top right corner or run /usr/local/cpanel/cpanel -V.
  2. Update: Run /usr/local/cpanel/scripts/upcp via SSH. This will pull the latest patched version.
  3. Post-Patch Verification: Ensure the server version matches one of the secure versions listed above.
  4. Audit: Review logs for any suspicious activity from cpsrvd preceding the patch. If compromise is confirmed, initiate incident response procedures, as simple patching does not remove implanted backdoors.

Vendor Advisory: For full release notes and tier-specific download links, refer to the official cPanel changelog.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosurecpanelcve-2024-10928web-server

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action