cPanel and WHM power a large share of the global shared hosting market, meaning a single compromised server can expose dozens to thousands of customer websites and their associated data simultaneously. An attacker who exploits this vulnerability without credentials can deface websites, exfiltrate customer data, install malware served to website visitors, or use compromised servers as infrastructure for further attacks — all before a hosting provider detects the intrusion. Hosting providers, managed service providers, and any organization running self-managed cPanel servers face direct operational disruption, potential regulatory exposure if customer data is accessed, and serious reputational harm if customer websites are weaponized.
You Are Affected If
You run cPanel or WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5 on any production server
Your cPanel (ports 2082/2083) or WHM (ports 2086/2087) interfaces are accessible from the public internet without firewall restrictions
You have not yet manually applied the WebPros International emergency out-of-band patch, as no automated update is confirmed
You are a hosting provider or MSP managing shared hosting environments where a single server hosts multiple customer accounts
You use cPanel/WHM as part of a reseller hosting arrangement and do not control the underlying patch deployment schedule
Board Talking Points
A critical flaw in cPanel and WHM — software that manages a large share of the world's web hosting infrastructure — allows attackers to take full control of servers and customer accounts without any login credentials.
Every server running affected versions must receive a manually applied emergency patch immediately; there is no automatic update, meaning our exposure window depends entirely on how quickly operations teams can act.
Without urgent patching, attackers can compromise customer websites, steal hosted data, and use our infrastructure for further attacks — creating direct liability, regulatory exposure, and reputational damage that compounds the longer servers remain unpatched.
PCI-DSS — cPanel/WHM servers hosting e-commerce sites or payment forms represent a potential cardholder data environment; server compromise could expose payment-related data processed or transmitted through hosted sites
GDPR / regional privacy law — shared hosting environments commonly store personal data of website operators' customers; unauthorized server access triggering data exposure may constitute a reportable breach
HIPAA — hosting providers serving healthcare clients whose cPanel servers store or transmit protected health information face breach notification obligations if exploitation occurs
