Three new cPanel/WHM CVEs dropped today. Anyone else seeing exploitation attempts yet?
Hey everyone,
Just caught the news that cPanel released patches for three distinct vulnerabilities affecting both cPanel and Web Host Manager (WHM). One that stands out is CVE-2026-29201 (CVSS 4.3), involving insufficient input validation in the feature::LOADFEATUREFILE adminbin call.
While a 4.3 score might seem manageable to some management types, the advisory warns that exploitation can lead to privilege escalation, remote code execution, and denial-of-service. For those of us managing shared hosting environments, privilege escalation is effectively a total compromise of the tenant isolation model. The issue specifically lies in how the feature::LOADFEATUREFILE function handles file names, potentially allowing attackers to manipulate file loading mechanisms.
If you manage these servers, you should verify your build immediately to ensure you are on a patched version. You can check your version via SSH:
/usr/local/cpanel/cpanel -V
In terms of detection, I'm currently combing through access logs for any anomalies related to feature file loading. You can target the specific adminbin call like this:
grep "feature::LOADFEATUREFILE" /usr/local/cpanel/logs/access_log
If you see suspicious parameters or unexpected calls from non-admin IPs, you might want to investigate further. Given how widespread WHM is, I'm expecting exploit scripts to pop up on GitHub soon.
Has anyone else started their patching cycle yet? Are you going straight to production or running the updates in staging first?
Thanks for the shout. We just pushed the updates across our fleet. No issues so far on the 'Current' tier. Always terrifying when RCE is involved in a web hosting control panel—too many attack surfaces.
/usr/local/cpanel/scripts/upcp --force
I recommend forcing the update if your tier is lagging behind the release schedule.
The CVSS of 4.3 feels deceptively low for a potential RCE chain. Usually, these adminbin calls require specific privileges or contexts to trigger, which might explain the score. Still, I'm spinning up a test box to see if I can trigger the DoS condition on the LOADFEATUREFILE call. If anyone has a reproduction case or PoC details, please share.
Good post. We've added a signature to our SIEM for the specific adminbin string mentioned. Just a heads up, ensure you're checking all log files, sometimes cPanel shunts admin activity to different logs depending on the configuration. We're treating this as P2 given the PrivEsc potential.
Solid advice, Pat. To complement the SIEM signatures, you can manually check for abuse of the vulnerable feature::LOADFEATUREFILE call by grepping the cPanel access logs. This is often where the initial recon shows up before the SIEM rules fire.
Run this on your servers to isolate source IPs:
grep "LOADFEATUREFILE" /usr/local/cpanel/logs/access_log | awk '{print $1}' | sort | uniq -c | sort -nr
This helps separate false positives from active scanning attempts targeting that specific adminbin function.
Great insights, everyone. Beyond log grepping, keep a close watch on process lineage. If cpsrvd spawns unexpected shells or interpreters, that's a huge red flag for active RCE. You can hunt for anomalies using this simple command to spot non-standard child processes:
ps -eo pid,ppid,user,cmd | grep -E 'cpanel|cpsrvd' | grep -E '(bash|sh|python|perl)' | grep -v grep
It’s a quick way to validate if the adminbin call is being abused for code execution.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access