cPanel has released emergency security updates to address three newly disclosed vulnerabilities, CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203, affecting cPanel, Web Host Manager (WHM), and WP Squared, patched on May 8, 2026.
The flaws carry CVSS scores ranging from 4.3 to 8.8 and expose millions of web hosting environments to arbitrary file reads, remote Perl code execution, and denial-of-service or privilege escalation attacks.
The timing is especially critical: the disclosure comes less than two weeks after a separate critical authentication bypass vulnerability (CVE-2026-41940, CVSS 9.8) was weaponized in the wild to deploy Mirai botnet variants and the “Sorry” ransomware strain against over 44,000 compromised cPanel servers globally.
CVE-2026-29201 – Arbitrary File Read (CVSS 4.3)
The first vulnerability involves insufficient input validation of the feature file name in the feature::LOADFEATUREFILE adminbin call.
When a relative file path is supplied, an authenticated attacker can read arbitrary files on the server, potentially exposing sensitive configuration data, credentials, and private keys used across hosted accounts.
While the CVSS score is moderate, in shared hosting environments where thousands of websites reside on a single server, unauthorized file reads can serve as a critical stepping stone for more sophisticated attacks.
CVE-2026-29202 – Remote Perl Code Execution (CVSS 8.8)
The second and most severe flaw targets the plugin parameter in the create_user API call. Insufficient input validation here allows an already-authenticated attacker to execute arbitrary Perl code with the system user’s privileges associated with that account.
Given that cPanel is built extensively on Perl, this attack surface is substantial; a successful exploit could allow full control over server-side processes, data exfiltration, malware installation, or lateral movement across hosted accounts.
CVE-2026-29203 Unsafe Symlink Handling Leading to DoS or Privilege Escalation (CVSS 8.8)
The third vulnerability arises from unsafe symlink handling that permits a user to invoke chmod on arbitrary files outside their authorized scope.
This can be abused to alter file permissions in ways that destabilize critical system services, resulting in denial-of-service, or manipulate access controls in a manner that achieves privilege escalation, potentially granting root-level access on a shared server.
As Hadrian security researchers previously noted in the context of cPanel compromises, “WHM grants root administrative access to the server an attacker with this access can read every customer hosting account, modify files and databases, create backdoor accounts, install malware, steal credentials, and pivot into customer networks.”
Affected Versions and Patches
cPanel released patches across all supported version tracks on May 8, 2026, at 12:00 PM EST. The following versions include the fixes:
cPanel & WHM: 11.136.0.9, 11.134.0.25, 11.132.0.31, 11.130.0.22, 11.126.0.58, 11.124.0.37, 11.118.0.66, 11.110.0.116 / 11.110.0.117, 11.102.0.41, 11.94.0.30, and 11.86.0.43 (and higher for all).
WP Squared: Version 11.136.1.10 and higher.
For customers still operating on legacy CentOS 6 or CloudLinux 6 environments, cPanel has released version 110.0.114 as a direct update path. Administrators who wish to update manually before automatic patching occurs can execute /scripts/upcp from the server command line after the patch release window.
These three vulnerabilities arrive at a particularly alarming moment for the web hosting industry. On April 28, 2026, cPanel disclosed CVE-2026-41940, a critical authentication bypass with a CVSS score of 9.8, which had been actively exploited since at least February 23, a 64-day window during which approximately 1.5 million internet-exposed cPanel instances had no patch and no public advisory.
The scale of exploitation that followed was staggering. The Shadowserver Foundation reported at least 44,000 IP addresses running cPanel as actively compromised, with attackers deploying the “Sorry” ransomware, a Go-based Linux encryptor that appends the .sorry extension to files, wipes backups, and uses ChaCha20 encryption protected by an embedded RSA-2048 public key. Separately, Censys and GreyNoise correlated data showing a spike of over 15,000 newly malicious cPanel hosts in a single day, with approximately 80% of all newly malicious hosts on May 1 running cPanel or WHM.
Beyond ransomware, Ctrl-Alt-Intel detected a sophisticated threat actor abusing CVE-2026-41940 on May 2 to target government and military entities in Southeast Asia, as well as managed service providers (MSPs) and hosting companies in the Philippines, Laos, Canada, South Africa, and the United States.
The MS-ISAC also flagged Mirai botnet installation and credential harvesting as additional post-compromise activities tied to cPanel exploitation campaigns.
Mitigation
Administrators running cPanel and WHM environments should take the following steps immediately:
- Update to the latest patched versions across all supported branches using
/scripts/upcpor automatic update mechanisms. - Review cPanel’s official IOC detection script to identify signs of prior compromise, particularly sessions with
tfa_verifiedbut no valid origin, pre-authenticated sessions with authenticated attributes, and password fields containing newlines. - Restrict public-facing WHM ports and limit API access to trusted IP ranges to reduce the attack surface for CVE-2026-29202’s
create_userAPI abuse. - For legacy CentOS 6 or CloudLinux 6 servers, adjust the update tier before applying the patch using the
cl0branch command:sed -i "sCPANEL*/CP=cl0/g" /etc/cpupdate.conf. - Monitor for unusual
chmodoperations, symlink creation activity, and unexpectedperlprocess spawning as early indicators of CVE-2026-29203 or CVE-2026-29202 exploitation.
Although cPanel reports no confirmed in-the-wild exploitation of these three new CVEs as of the patch release date, the recent history with CVE-2026-41940 demonstrates that threat actors are actively and rapidly weaponizing cPanel vulnerabilities often within 24 hours of public disclosure.
FAQ
Q1: What is CVE-2026-29202, and why is it dangerous?
It is a CVSS 8.8 Perl code injection flaw in cPanel’s create_user API that allows authenticated attackers to execute arbitrary code on the server’s system user level.
Q2: Are these vulnerabilities being actively exploited in the wild?
cPanel has found no evidence of active exploitation of CVE-2026-29201, CVE-2026-29202, or CVE-2026-29203, though the broader cPanel ecosystem is currently under mass attack via the earlier CVE-2026-41940 flaw.
Q3: Which cPanel versions are safe after the May 8, 2026, update?
All version tracks from 11.86 through 11.136 have been patched, with WP Squared secured at version 11.136.1.10 and higher.
Q4: How does the “Sorry” ransomware relate to cPanel attacks?
Sorry, ransomware is a Go-based Linux encryptor deployed by threat actors exploiting CVE-2026-41940, encrypting hosted files with ChaCha20 and wiping backups across all accounts on a compromised server simultaneously.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
