cPanel CVE-2026-29201: Under the Hood of `feature::LOADFEATUREFILE`
Hey everyone,
Just saw the alerts regarding the new cPanel and WHM updates dropping today. While the CVSS score for CVE-2026-29201 sits at 4.3 (Medium), we all know how these "adminbin" calls can get messy when chained with other issues. The vulnerability stems from insufficient input validation in the feature::LOADFEATUREFILE adminbin call.
Specifically, this flaw could allow an attacker to manipulate the feature file name parameter. In a shared hosting environment, this is particularly concerning because it touches on privilege escalation vectors. If a bad actor gets a foothold as a reseller or a compromised user, this might just be the ladder they need to root the box.
For those managing fleets, cPanel pushes updates automatically for versions 88 and above, but if you're stuck on an LTS or manual update tier, you might be exposed.
Here is a quick snippet to check your current version against the patched versions (11.109.9999.116+ or 11.120.0.5+):
/usr/local/cpanel/cpanel -V
You can also verify your update tier configuration to ensure you're actually getting the patches:
grep 'CPANEL' /etc/cpupdate.conf
Given the prevalence of cPanel in the wild, I'm curious how fast everyone is deploying these. Are you relying on automatic updates, or do you stage them in a test environment first given the recent instability in some control panel updates?
We never rely on auto-updates for production. Last time cPanel pushed a rushed patch, it broke custom Exim configurations for half our clients. I staged the update in a dev environment first and ran the upgrade manually:
/usr/local/cpanel/scripts/upcp --manual
No issues observed so far with the 11.120 branch, so I'm pushing to prod tonight. Always better safe than sorry with input validation bugs.
Good catch on the adminbin vector. From a SOC perspective, we've immediately added a rule to our SIEM to monitor for suspicious spikes in adminbin executions. We're specifically looking for the LOADFEATUREFILE string in the audit logs, as it's usually quiet unless someone is tinkering with features.
DeviceEventLogs
| where ProcessName contains "adminbin"
| where CommandLine contains "LOADFEATUREFILE"
| summarize count() by SourceIP
If you aren't logging adminbin calls yet, now is the time.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access