⚠️ THREAT ALERT: cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now
The recent cPanel & WHM security bulletin discloses three independent flaws that collectively expand the attack surface of the hosting stack. The first vulnerability (CVE‑2026‑3111) is a deserialization bug in the cpanel‑php module that processes user‑supplied XML payloads for the API2 “listaccts” endpoint. Crafted XML with malicious PHP object injection can trigger arbitrary code execution under the “cpanel” user, which holds elevated privileges for managing account configurations and executing system commands. The second issue (CVE‑2026‑3112) is a privilege‑escalation path in the WHM “adddns” routine, where insufficient validation of the “zonefile” parameter permits directory traversal (../) to overwrite arbitrary files within /etc/, allowing a low‑privileged reseller to replace root‑owned configuration files and gain root shell access via a subsequent systemd service reload. The third flaw (CVE‑2026‑3113) is a race condition in the “cpanel‑backup” daemon that fails to lock the temporary backup directory, enabling a local attacker to replace the backup archive with a symlink to /etc/shadow; when the daemon later compresses the archive, it inadvertently writes sensitive credential data into a location readable by the attacker’s web‑user account. All three bugs are exploitable remotely or locally without authentication, making them high‑severity (CVSS ≈ 9.8) and suitable for chaining into full compromise of the server.
Mitigation guidance centers on immediate application of the patched RPMs (cpanel‑php‑7.4.30‑1.el7, cpanel‑whm‑11.112‑20260312, cpanel‑backup‑2.2‑20260312) which introduce hardened deserialization checks, canonicalization of file path inputs, and proper file‑system locking for backup operations. Administrators should also enforce “api2‑only‑allow‑trusted‑hosts” and disable the “listaccts” API for untrusted networks until the patch is deployed, as a stop‑gap against CVE‑2026‑3111. For CVE‑2026‑3112, enable SELinux enforcing mode and set “fs.protected_regular=1” to block unauthorized overwrites of system configuration files via traversal. Deploying AppArmor profiles for the backup daemon will further contain the race condition exploit, while rotating all root‑owned credentials and re‑issuing SSH keys mitigates any potential credential leakage from the archive tampering.
Long‑term hardening recommendations include transitioning to cPanel’s “Secure‑Authentication” mode, which signs API requests with HMAC to thwart injection attempts, and moving critical services (DNS, backup) into isolated containers or VMs to enforce least‑privilege boundaries. Regularly scanning for the presence of the vulnerable XML string patterns (e.g., “
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments