cPanel & WHM Zero-Day Exploited for Months, Granting Admin Access

/MEDIUM
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW threat-intelvulnerabilityidentity
cPanel & WHM Zero-Day Exploited for Months, Granting Admin Access

A critical authentication bypass vulnerability in cPanel & WHM has been actively exploited as a zero-day for months, according to SecurityWeek. This flaw allows attackers to gain full administrative access to vulnerable servers, posing a significant risk to the integrity and security of hosted environments.

This isn’t a theoretical issue; it’s an active exploitation that grants an attacker the keys to your kingdom. With administrative access, they can manipulate websites, access sensitive data, deploy malware, or establish persistent footholds for future operations. The long exploitation window means many systems are likely already compromised.

For defenders, this is a clear signal to prioritize patching and aggressive log review. An authentication bypass means traditional perimeter defenses are already circumvented. Focus on what happens after the bypass.

What This Means For You

  • If your organization uses cPanel & WHM, you must immediately patch to the latest version. This isn't a 'wait and see' situation; attackers have had months to exploit this. Review your server logs for any unusual administrative activity, unauthorized file modifications, or new user accounts created during the exploitation period.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Cloud Accounts Persistence T1078.002 Domain Accounts Persistence

πŸ›‘οΈ Detection Rules

3 rules Β· 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free β€” export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

cPanel Authentication Bypass - Admin Access Attempt

Sigma YAML β€” free preview

Source: Shimi's Cyber World Β· License & reuse

βœ“ Sigma Β· Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM β†’

Indicators of Compromise

IDTypeIndicator
cPanel-WHM-Zero-Day Auth Bypass cPanel & WHM
cPanel-WHM-Zero-Day Auth Bypass Administrative access to vulnerable servers

Written by SCW Vulnerability Desk

Take action on this incident
πŸ“‘ Monitor cpanel.net Free Β· 1 watchlist slot Β· instant alerts on new breaches πŸ” Threat intel on cPanel All breaches, IOCs & vendor exposure

Related coverage on cPanel

DEEP#DOOR Python Backdoor Disables Security Controls for Credential Theft

The Hacker News reports on DEEP#DOOR, a new Python-based backdoor framework that can disable Windows security features to gain persistent access and steal sensitive data....

threat-intelvulnerabilitymalwarecloudmicrosoftidentitytools
/SCW Vulnerability Desk /HIGH /⚑ 5 IOCs

EnOcean SmartServer Vulnerabilities Enable Building System Hacking

Claroty researchers have identified two critical vulnerabilities in EnOcean's SmartServer, a device used to manage building automation systems. Exploitation could allow attackers to bypass security...

threat-intelvulnerabilitycloud
/SCW Vulnerability Desk /MEDIUM /⚑ 1 IOC /⚙ 3 Sigma

EtherRAT Campaign Spoofs Admin Tools via GitHub Facades

A new, highly resilient EtherRAT distribution campaign, identified by Atos Threat Research Center (TRC) in March 2026, is actively targeting high-privilege accounts. This operation specifically...

threat-intelvulnerabilitytools
/SCW Vulnerability Desk /MEDIUM /⚑ 3 IOCs /⚙ 3 Sigma