Managed Servers (KVM VPS)
cPanel (WHM): root access exploit patched
Please note that reading between the lines, going off the limited info they have released and other things going on with regard to attacks against cPanel+WHM, it seems that this may have been known to them for 1+ month and the exploit available in the code-base at least back to the 2000’s - “almost all known cPanel versions” (KH).
Synergy Wholesale have had an active incident since the 20th of March 2026, so 5+ weeks now, where they have disabled routing for /cpanel /whm /webmail etc proxy routing “folder shortcuts” due to on-going attacks. We know that they are mostly exposed due to remaining on EOL CloudLinux v7 (Synergy, not Merlot) which limits the cPanel version to v110, and they’ve been waiting for a fix to be back-ported - and in the interim disabled the routing.
- https://status.synergywholesale.com/notices/dds6hmt8d46fguzw-temporary-cpanel-service-routing-disabled
- Note that it relates to multiple authentication paths /cpanel /whm /webmail which fits the late April fix as well
However, Namecheap reported the 0-day side of this on their 28th of April 2026, and firewall blocked ports 2083 and 2087 immediately, with a fix coming through just 3 hours later. What’s especially interesting is that they’re not talking about the /cpanel etc proxy entry points for authentication. At the time of this addendum, the cPanel Product Team still have not sent out their official communication to customers about the vulnerability.
It seems almost certain the two are related, and that the lag on the “nuisance attacks” allowed others to find the more broad spectrum impact/surface of the flaw. We know that the flaw goes back decades in cPanel’s code.
- “successful exploits have been seen in the wild” + “webmail 2096 also exploitable”: KnownHost Advisory
- “we have applied a firewall rule to block access”: Namecheap advisory, also once scope spread to ports
As it runs millions of websites globally and there are a large number of servers which run pre-v110 installations of which WebPros have so far chosen to not patch despite seemingly being equally vulnerable, it’s quite bleak.
G’day,
Please note this advisory only applies to clients who still remain on cPanel+WHM. For your information:
A zero-day exploit allowing total control via WHM as the root user has been silently patched by cPanel.
We have patched the handful of servers where clients remain on cPanel+WHM, and appreciate that those clients are making strides towards DirectAdmin (due mostly to cPanel insecurity) with haste as they’re able to.
0-day relates to session loading and saving for WHM being problematic to the extent of a total server takeover, and their case (reference CPANEL-52908) has been patched in all versions from v110 (2023 initial release) to v136 (2026 initial release) with no further info released whatsoever by WebPros, nor direct communication.
- Support article states the flaw is “relating to various authentication paths” - Their support article here
- Changelog entry states: “[Security]
CPANEL-52908: Fix issue with session loading & saving” - C’LOG v136 - WebPros do not leverage CVEs and the cPanel TSR (Targeted Security Release) page has been deleted, which aligns with there having been no direct communication to cPanel Partners as of the time of our advisory.
This has no relevance to the majority of our clients who are now happily running on DirectAdmin (DA). :-)
Cheers,
Merlot Digital
The Network Crew Pty Ltd (TNC)
Network: AS138521