cPanel's Security Crisis: Three New High-Severity Vulnerabilities Emerge After 44,000-Server Ransomware Attack

In the world of web hosting infrastructure, few names carry as much weight as cPanel. The platform that powers millions of websites worldwide is currently facing its most serious security crisis in years, with three new high-severity vulnerabilities emerging just days after a massive ransomware attack compromised 44,000 servers.

The Immediate Threat: Three New CVEs

On May 8, 2026, cPanel released its second Technical Security Release (TSR) in just ten days, addressing three newly discovered vulnerabilities:

1. CVE-2026-29201 - Arbitrary File Read (CVSS 4.3)

   • An insufficient input validation in the feature::LOADFEATUREFILE adminbin call
   • Allows authenticated attackers to read files they shouldn't have access to
   • While not directly granting root access, it can provide valuable information for follow-up attacks

2. CVE-2026-29202 - Arbitrary Perl Code Execution (CVSS 8.8)

   • Flaw in the create_user API call's plugin parameter validation
   • Allows authenticated users to execute arbitrary Perl code
   • Particularly dangerous on shared hosting environments where one tenant could affect the entire server

3. CVE-2026-29203 - Privilege Escalation via Unsafe Symlink (CVSS 8.8)

   • Unsafe symlink handling that allows modification of arbitrary file permissions
   • Can lead to privilege escalation or denial of service
   • Could be chained with CVE-2026-29202 for more comprehensive attacks

The Context: A Perfect Storm of Vulnerabilities

These vulnerabilities didn't emerge in a vacuum. They were discovered during an emergency code audit triggered by a far more critical vulnerability disclosed just ten days earlier.

On April 28, 2026, cPanel patched CVE-2026-41940, a CVSS 9.8 authentication bypass that had been actively exploited as a zero-day since late February 2026. The consequences were severe:

• At least 44,000 IP addresses running cPanel were compromised
• Attackers deployed a Go-based Linux encryptor for a ransomware strain called "Sorry"
• The vulnerability had an approximately two-month window where attackers had unrestricted access

The concentration of these disclosures reflects a pattern security teams recognize all too well: when a critical vulnerability is discovered, deeper audits of adjacent code paths often reveal additional issues that were previously undiscovered or deprioritized.

Technical Analysis: Why These Vulnerabilities Matter

While CVE-2026-29201 carries a moderate CVSS score of 4.3, the other two vulnerabilities present significant risks:

CVE-2026-29202 (Arbitrary Perl Code Execution) is particularly concerning because:

• It requires only authentication, which in shared hosting environments can be obtained by any account holder
• Perl code executed in the context of cPanel has significant system-level access
• On shared servers, this could allow one tenant to run code affecting the entire machine
• The attack vector through the create_user API is particularly insidious as it's a legitimate function with insufficient input validation

CVE-2026-29203 (Privilege Escalation via Unsafe Symlink) is dangerous because:

• It can be combined with other vulnerabilities for more comprehensive attacks
• The ability to modify permissions on arbitrary files can disable security mechanisms
• In containerized or shared hosting environments, this could lead to complete compromise of the hosting infrastructure

The Broader Pattern: Accelerating Vulnerability Discovery

What's happening to cPanel is part of a wider trend affecting the entire web hosting security landscape:

1. Concentration of disclosures: Three major Linux kernel vulnerabilities (Copy Fail, Dirty Frag) were disclosed within eight days of each other in late April and early May 2026
2. Shifting vulnerability lifecycle: The window between vulnerability discovery and exploitation is shrinking from weeks to days
3. AI-assisted security research: New tools are finding vulnerabilities faster than coordinated disclosure processes can handle them
4. Supply chain attacks: Compromising widely-used software like cPanel provides attackers with access to thousands of servers at once

Practical Implications for System Administrators

For anyone managing cPanel servers, the operational implications are clear:

Immediate Actions:

1. Patch immediately: Run /scripts/upcp as root after 12:00 EST on May 8
2. Restart services: Run /scripts/restartsrv_cpsrvd after patching
3. Verify patch: Confirm the patched version with /usr/local/cpanel/cpanel -V
4. Enable automatic updates: If disabled, enable automatic cPanel updates

Forensic Investigation:

If your server was running an unpatched version between late February and April 28:

1. Review access logs: Check /usr/local/cpanel/logs/access_log and /usr/local/cpanel/logs/login_log from February 23, 2026 onwards
2. Scan for ransomware: Look for files with the .sorry extension in user home directories
3. Investigate anomalous API calls: Review whether any accounts may have used the create_user API anomalously

The Future of Web Hosting Security

The cPanel vulnerabilities highlight several emerging challenges:

1. Complexity vs. Security: As web hosting platforms become more feature-rich, the attack surface expands
2. Shared hosting risks: Multi-tenant environments create unique security challenges that are difficult to mitigate
3. Disclosure timelines: The traditional 90-day disclosure window may be too long when automated exploitation tools can leverage vulnerabilities within hours
4. Supply chain security: Compromising widely-used software like cPanel provides attackers with access to thousands of servers at once

For more information, refer to cPanel's official security advisory and the detailed analysis from security researchers tracking these vulnerabilities.

The cPanel situation serves as a stark reminder that in today's threat landscape, security is not a one-time fix but an ongoing process of vigilance, patching, and adaptation. As AI-assisted security research continues to accelerate vulnerability discovery, organizations must develop more responsive security practices to keep pace with emerging threats.