A successful exploit gives an attacker full administrative control of the hosting server, meaning every website, email account, database, and customer file hosted on that server is accessible and can be exfiltrated, modified, or destroyed. For managed hosting providers, a single compromised server may expose thousands of tenant accounts across their customer base. Organizations face regulatory exposure wherever hosted environments process personal data, payment information, or protected health information — a root-level compromise of a hosting server is a reportable data breach in most jurisdictions.
You Are Affected If
You run cPanel or WHM on any internet-facing hosting server (version ranges to be confirmed against cPanel's security advisories)
Your WHM interface (ports 2086/2087) or cPanel interface (ports 2082/2083) is accessible from the public internet without IP allowlisting
You have not applied the emergency cPanel security patch released in response to this vulnerability
You are a managed hosting provider with shared hosting infrastructure running cPanel/WHM
cPanel auto-update has been disabled on your servers, delaying receipt of the emergency patch
Board Talking Points
A critical flaw in our web hosting control software allows attackers to take over servers without a password — full access, no credentials required.
IT must apply the emergency vendor patch to all affected hosting servers immediately, within hours, not days.
If unpatched servers were accessed before we act, every website, database, and customer file on those servers should be treated as compromised.
GDPR — root-level server compromise constitutes a personal data breach if any EU resident data is hosted on affected servers, triggering 72-hour notification obligations
PCI-DSS — if payment card data or cardholder environments are hosted on affected cPanel servers, this constitutes a potential account data compromise requiring immediate incident response per PCI-DSS Requirement 12.10
HIPAA — if protected health information is stored or processed on affected hosting servers, the compromise triggers breach notification requirements under the HIPAA Breach Notification Rule
