Attack Chain

1. Attacker identifies a vulnerable cPanel & WHM instance running an outdated version.
2. Attacker leverages publicly available exploit code or develops a custom exploit based on disclosed vulnerability details.
3. Attacker sends a malicious HTTP request to the targeted cPanel & WHM server, triggering the vulnerability.
4. If successful, the attacker gains unauthorized access to the cPanel & WHM system.
5. Attacker escalates privileges within the cPanel & WHM environment, potentially gaining root access.
6. Attacker deploys a web shell or other persistent backdoor for continued access and control.
7. Attacker uses the compromised system to launch further attacks, such as defacement, data exfiltration, or malware distribution.
8. Attacker attempts to move laterally within the network, compromising other systems and resources.

Impact

Successful exploitation of these vulnerabilities in cPanel & WHM could lead to significant consequences for web hosting providers and their customers. Impacts may include unauthorized access to sensitive data, defacement of websites, disruption of services, and potential financial losses. The number of affected systems is potentially large, given the widespread use of cPanel & WHM in the web hosting industry.

Recommendation

• Immediately upgrade cPanel & WebHost Manager (WHM) software to the latest versions (11.86.0.44, 11.94.0.31, 11.102.0.42, 11.110.0.118, 11.118.0.67, 11.124.0.38, 11.126.0.59, 11.130.0.23, 11.132.0.32, 11.134.0.26, 11.136.0.10 and WP Squared 11.136.1.12 or later) as recommended in the cPanel Security advisory.
• Monitor web server logs for suspicious activity that may indicate exploitation attempts, focusing on unusual HTTP requests and error codes (webserver category).
• Implement a web application firewall (WAF) with rulesets designed to detect and block common cPanel & WHM exploits (webserver category).