Under normal conditions, cPanel authentication follows a secure login flow. However, this vulnerability disrupts that process by allowing manipulated session data to be trusted by the system.<\/p>\n\n\n\n
How cPanel Login Normally Works<\/h2>\n\n\n\n
When a user logs into cPanel\/WHM, the following process takes place:<\/p>\n\n\n\n
- \n
- User accesses the WHM\/cPanel login page<\/li>\n\n\n\n
- Username and password are entered<\/li>\n\n\n\n
- cPanel verifies the credentials<\/li>\n\n\n\n
- A session file (temporary login ticket) is created<\/li>\n\n\n\n
- The session is stored on the server<\/li>\n\n\n\n
- All subsequent requests use this session for authentication<\/li>\n<\/ol>\n\n\n\n
This ensures that only authenticated users can access administrative features.<\/p>\n\n\n\n
What Goes Wrong in This Vulnerability<\/h2>\n\n\n\n
Due to the bug, an attacker is able to manipulate the session file during the login process<\/strong>.<\/p>\n\n\n\n
Instead of waiting for proper authentication, cPanel may incorrectly trust session data that has been altered before verification is completed.<\/p>\n\n\n\n
How the Attack Works<\/h2>\n\n\n\n
An attacker can send a specially crafted request containing modified or fake session parameters<\/strong>.<\/p>\n\n\n\n
By inspecting login requests using browser developer tools (Network tab), the attacker can alter outgoing requests before they reach the server.<\/p>\n\n\n\n
Example Scenario<\/h3>\n\n\n\n
Normal Request:<\/strong><\/p>\n\n\n\n
user=admin
pass=wrongpassword<\/code><\/pre>\n\n\n\nModified Malicious Request:<\/strong><\/p>\n\n\n\n
user=admin
pass=wrongpassword
cp_security_token=\/cpsess99999999
successful_external_auth_with_timestamp=1<\/code><\/pre>\n\n\n\n\n
Note: This is only a conceptual example for understanding the issue.<\/p>\n<\/blockquote>\n\n\n\n
What the Attacker Achieves<\/h3>\n\n\n\n
- \n
- No need to know the actual password<\/li>\n\n\n\n
- Injects fake authentication-related parameters<\/li>\n\n\n\n
- Sends a modified request to the server<\/li>\n<\/ul>\n\n\n\n
cPanel then incorrectly processes these values and may treat the session as authenticated.<\/p>\n\n\n\n
Root Cause of the Issue<\/h2>\n\n\n\n
The vulnerability occurs because:<\/p>\n\n\n\n
- \n
- The attacker injects a fake token into the login request<\/li>\n\n\n\n
- cPanel writes this data into the session file too early<\/li>\n\n\n\n
- The session file is then used for validation<\/li>\n\n\n\n
- cPanel mistakenly trusts the manipulated session data<\/li>\n<\/ul>\n\n\n\n
In Simple Terms:<\/h3>\n\n\n\n
cPanel trusted session data that was influenced by attacker-controlled input before authentication was completed.<\/p>\n\n\n\n
Fixed Versions Released by cPanel<\/h2>\n\n\n\n
The issue has been patched in the following versions:<\/p>\n\n\n\n
11.86.0.41
11.110.0.97
11.118.0.63
11.126.0.54
11.130.0.19
11.132.0.29
11.136.0.5
11.134.0.20<\/code><\/pre>\n\n\n\nIf your system is running any of these versions, the vulnerability is considered fixed. Older versions may still be at risk.<\/p>\n\n\n\n
Required Actions (Update Process)<\/h2>\n\n\n\n
To secure your server, update cPanel using:<\/p>\n\n\n\n
\/scripts\/upcp --force<\/code><\/pre>\n\n\n\nVerify Update Status<\/h3>\n\n\n\n
\/usr\/local\/cpanel\/cpanel -V<\/code><\/pre>\n\n\n\nRestart cPanel Service<\/h3>\n\n\n\n
\/scripts\/restartsrv_cpsrvd<\/code><\/pre>\n\n\n\nTemporary Mitigation (If Update Is Not Possible)<\/h2>\n\n\n\n
If immediate updating is not possible, you can reduce exposure by blocking access to cPanel services:<\/p>\n\n\n\n
2083 \u2192 cPanel
2087 \u2192 WHM
2095 \u2192 Webmail
2096 \u2192 Webmail SSL <\/code><\/pre>\n\n\n\nImportant Drawback:<\/h3>\n\n\n\n
Blocking these ports will also prevent legitimate users and administrators from accessing cPanel\/WHM until access is restored.<\/p>\n\n\n\n
Detection of Potential Exploitation<\/h2>\n\n\n\n
cPanel also provides a detection script<\/strong> to identify signs of compromise. It checks for the following red flags:<\/p>\n\n\n\n
1. Fake Token + Failed Token Combination<\/p>\n\n\n\n
token_denied=1
cp_security_token=\/cpsessXXX
origin=method=badpass<\/code><\/pre>\n\n\n\n2. Pre-Authentication Session Claiming Login Success<\/p>\n\n\n\n
3. 2FA Marked as Passed Without Valid Login<\/p>\n\n\n\n
4. Password Field Containing Hidden Newlines<\/p>\n\n\n\n
Detection Script Reference: cPanel Security Advisory<\/a><\/p>\n\n\n\n
Additional Security Recommendations<\/h2>\n\n\n\n
To further reduce risk and strengthen security posture:<\/p>\n\n\n\n
- \n
- Enable IP-based access restrictions<\/strong> for WHM\/cPanel<\/li>\n\n\n\n
- Restrict access using VPN-only administration<\/strong><\/li>\n\n\n\n
- Monitor logs for unusual or repeated login attempts<\/li>\n\n\n\n
- Enforce strong password policies<\/strong><\/li>\n\n\n\n
- Enable Multi-Factor Authentication (MFA)<\/strong> for all admin users<\/li>\n<\/ul>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
This vulnerability highlights how session handling flaws can lead to serious authentication bypass issues in critical systems like cPanel & WHM. While patches are available, securing access through layered controls such as IP restriction, MFA, and monitoring is essential to reduce exposure and prevent exploitation.<\/p>\n\n\n\n
Worried about cPanel\/WHM security vulnerabilities or need help securing your server infrastructure? <\/a><\/p>\n\n\n\n
Get expert assistance from SupportPro<\/a> for proactive monitoring, patch management, and 24\/7 technical support to keep your systems safe and fully protected.<\/p>\n\n\n\n
\nFacing issues? <\/p>\n\n\n\n
Our technical support
engineers can solve it. <\/p>\n\n\n\n![\"Contact](\"https:\/\/no-cache.hubspot.com\/cta\/default\/2725694\/3350a795-db50-482f-9911-301930d1b1be.png\")
<\/a><\/span> - Restrict access using VPN-only administration<\/strong><\/li>\n\n\n\n
- Enable IP-based access restrictions<\/strong> for WHM\/cPanel<\/li>\n\n\n\n