Critical cPanel and WHM Vulnerabilities Expose Servers to Remote Code Execution and Denial-of-Service Attacks
cPanel, a leading provider of web hosting control panels, has recently addressed three critical security vulnerabilities—CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203—that could allow attackers to execute arbitrary code, read sensitive files, and cause denial-of-service (DoS) conditions on affected servers. These vulnerabilities impact both cPanel & WHM (WebHost Manager) and the WP Squared (WP2) platform.
Overview of the Vulnerabilities
1. CVE-2026-29201: Arbitrary File Read via Path Traversal
This vulnerability exists in the `feature::LOADFEATUREFILE` adminbin call, which fails to properly validate the feature file name parameter. By supplying a relative path as an argument, an attacker can access and read arbitrary files on the server. This flaw could expose sensitive information such as configuration files, credentials, and private keys, potentially leading to further system compromise.
2. CVE-2026-29202: Perl Code Injection in User Creation API
The most severe of the three, this flaw resides in the `create_user` API call, specifically within the `plugin` parameter. Due to insufficient input sanitization, attackers can inject and execute arbitrary Perl code on the server. This remote code execution (RCE) vulnerability poses a significant risk, as it could allow attackers to gain full control over the server, exfiltrate data, and deploy malware or backdoors across hosted environments.
3. CVE-2026-29203: Unsafe Symlink Handling
This vulnerability arises from improper handling of symbolic links, enabling a user to change the permissions (`chmod`) of arbitrary files on the system. Exploitation of this flaw can disrupt critical system operations, leading to DoS conditions. Additionally, it could be combined with other vulnerabilities to escalate privileges and gain unauthorized administrative access.
Affected Versions and Patched Releases
These vulnerabilities affect multiple versions of cPanel & WHM. cPanel has released patches across all active branches to address these issues. Administrators are strongly advised to update to one of the following versions or higher:
– 11.136.0.9
– 11.134.0.25
– 11.132.0.31
– 11.130.0.22
– 11.126.0.58
– 11.124.0.37
– 11.118.0.66
– 11.110.0.116
– 11.110.0.117
– 11.102.0.41
– 11.94.0.30
– 11.86.0.43
For WP Squared users, the recommended update is to version 11.136.1.10 or higher.
Immediate Action Required
Given the severity of these vulnerabilities, immediate action is necessary to secure affected systems. Administrators should perform the following steps:
1. Update cPanel & WHM:
Run the forced update script to apply the latest patches:
“`bash
/scripts/upcp –force
“`
2. Verify the Installed Version:
After the update, confirm the installed version to ensure the patch has been applied successfully:
“`bash
/usr/local/cpanel/cpanel -V
“`
Ensure that the version matches one of the patched releases listed above.
3. Special Instructions for CentOS 6 or CloudLinux 6 Users:
Servers running CentOS 6 or CloudLinux 6 can apply a direct update to version 110.0.114 by setting the upgrade tier with the following command:
“`bash
sed -i s/CPANEL=./CPANEL=cl6110/g /etc/cpupdate.conf
“`
Then, proceed with the update as described above.
Potential Impact
The exploitation of these vulnerabilities could have severe consequences, including:
– Unauthorized Access: Attackers could gain unauthorized access to sensitive data and system resources.
– Data Exfiltration: Sensitive information could be stolen, leading to data breaches and potential legal ramifications.
– System Compromise: Full control over the server could be obtained, allowing attackers to deploy malware, create backdoors, or disrupt services.
– Denial-of-Service: Critical system operations could be disrupted, rendering services unavailable to legitimate users.
Conclusion
The discovery of these critical vulnerabilities in cPanel & WHM underscores the importance of proactive security measures and timely software updates. Administrators and hosting providers must prioritize the immediate application of the provided patches to mitigate the risks associated with these flaws. Regular monitoring and maintenance of server environments are essential to safeguard against emerging threats and ensure the integrity and availability of hosted services.
