A successful compromise gives attackers complete control of the affected server, including every website, database, and customer account hosted on it. For managed service providers and shared hosting operators, a single compromised server can expose all tenants simultaneously, creating liability across hundreds or thousands of customers. Organizations face potential data loss, service outages, regulatory exposure where hosted applications handle personal or payment data, and significant reputational damage if customer sites are defaced or used to distribute malware.
You Are Affected If
You operate cPanel/WHM on any internet-facing server, including shared hosting, VPS, or managed hosting infrastructure
Your cPanel/WHM installation has not been updated to the patched version (specific patched version number requires verification against the official cPanel advisory at https://news.cpanel.com/category/security/)
WHM management ports (TCP 2086, 2087) or cPanel ports (TCP 2082, 2083) are accessible from the public internet without IP-based access restrictions
You are a managed service provider or shared hosting operator with multiple customers co-located on cPanel-managed servers
You have not audited cPanel server logs for unauthorized access attempts within the last 72 hours
Board Talking Points
Attackers are actively exploiting a critical flaw in cPanel — the software that controls many of our hosted servers — and have already compromised more than 40,000 servers globally, with fixes available but not yet universally applied.
Our teams should patch all affected cPanel servers within 24 hours and isolate any server that cannot be patched immediately; this is a time-sensitive action requiring prioritization above routine change windows.
Organizations that delay patching risk total loss of server control, exposure of all hosted customer data, and extended outages that could take days to recover from if attackers establish persistent access.
PCI-DSS — cPanel-hosted servers processing or transmitting payment card data are subject to PCI-DSS; root-level compromise constitutes a reportable incident and may trigger acquirer notification requirements
GDPR / regional privacy law — shared hosting environments storing EU resident personal data on compromised cPanel servers trigger breach notification obligations under GDPR Article 33 within 72 hours of discovery
HIPAA — any cPanel-hosted application handling protected health information faces breach notification and business associate agreement implications if the server is confirmed compromised
