WHM, cPanel, and WP Squared Vulnerability Allows Remote Code Execution

A vulnerability has been discovered in WHM, cPanel, and WP Squared, which are Linux-based web hosting control panels commonly used for server and website management. This vulnerability could allow unauthenticated remote attackers to bypass authentication mechanisms. By exploiting this flaw, attackers can gain unauthorized administrative access to the affected systems. This level of access could allow them to inject malicious code and achieve remote code execution. The impact of successful exploitation is significant, as it allows attackers to fully compromise the target system.

Attack Chain

1. Unauthenticated attacker sends a specially crafted request to a vulnerable cPanel, WHM, or WP Squared endpoint.
2. The request exploits an authentication bypass vulnerability, allowing the attacker to proceed without valid credentials.
3. The attacker gains unauthorized administrative access to the web hosting control panel.
4. The attacker leverages the administrative access to upload a malicious PHP script to a writable directory on the server.
5. The attacker crafts a request to execute the uploaded PHP script.
6. The PHP script executes arbitrary commands on the underlying Linux operating system.
7. The attacker establishes a reverse shell to maintain persistent access to the compromised system.
8. The attacker performs further reconnaissance, lateral movement, or data exfiltration based on their objectives.

Impact

Successful exploitation of this vulnerability grants attackers full control over the affected web hosting servers. This can lead to complete compromise of hosted websites, data theft, defacement, or the deployment of further malicious payloads. Given the wide use of cPanel, WHM, and WP Squared among web hosting providers, a large number of servers and websites are potentially at risk. The impact includes significant financial losses, reputational damage, and potential legal liabilities for both the hosting providers and their clients.

Recommendation

• Apply available patches or updates provided by cPanel to remediate the authentication bypass vulnerability.
• Implement the Sigma rule Detect Suspicious PHP Upload via cPanel to identify potential malicious PHP script uploads.
• Monitor web server logs for suspicious requests to cPanel endpoints, focusing on unusual parameters or authentication attempts, as covered by the Sigma rule Detect Cpanel Authentication Bypass Attempts.
• Implement network segmentation to limit the impact of a compromised cPanel server on other internal systems.