TL;DR: The thing that catches most devs off guard isn't a sophisticated zero-day — it's that their freshly provisioned cPanel/WHM instance gets fingerprinted by automated scanners within two to four hours of going live with a public IP. Shodan, masscan-based botnet crawlers, and pu
📖 Reading time: ~26 min
What's in this article
- Why Your Shared Hosting Stack Is a Bigger Target Than You Think
- How cPanel/WHM Auth Bypass Vulnerabilities Actually Work
- Reproducing the Risk: What Security Researchers Actually Test
- The 3 Misconfigurations I See on Almost Every cPanel Server
- Hardening Your cPanel/WHM Installation Step by Step
- Reading the Logs: How to Tell If Someone Already Probed Your Server
- When NOT to Rely on cPanel's Built-In Security
- Quick Reference: cPanel Security Checklist
Why Your Shared Hosting Stack Is a Bigger Target Than You Think
The thing that catches most devs off guard isn't a sophisticated zero-day — it's that their freshly provisioned cPanel/WHM instance gets fingerprinted by automated scanners within two to four hours of going live with a public IP. Shodan, masscan-based botnet crawlers, and purpose-built cPanel hunters all probe port 2082, 2083, 2086, and 2087 constantly. If your WHM is answering on those ports, you're already in someone's target list before you've finished configuring your first reseller account.
Auth bypass vulnerabilities in cPanel/WHM follow a specific pattern that's worth understanding mechanically. It's not about stealing passwords. The attack class targets API endpoints that were designed to accept authenticated sessions but, due to logic flaws in how tokens or session identifiers are validated, accept crafted unauthenticated requests instead. A PoC for this kind of bug typically looks something like a raw HTTP request to a privileged WHM API endpoint with a malformed or absent authentication header that the backend processes anyway — either because of a missing validation branch, a truthy check on a null value, or a race condition in session handling. The attacker doesn't need your credentials. They need the server to think it already checked them.
# Simplified illustration of what an auth bypass probe looks like at the HTTP level
# Real PoCs target specific WHM API v1 endpoints
GET /json-api/createacct?username=attacker&domain=evil.com&plan=default HTTP/1.1
Host: your-whm-server.com:2087
Authorization: cpanel username=:
# That blank-after-colon token is the tell — it shouldn't work, but in vulnerable versions it does
Who actually needs to lose sleep over this: if you manage a VPS with WHM and resell cPanel accounts to clients, you're running a multi-tenant system where one compromised WHM session means every hosted account underneath it is exposed. Freelancers running reseller accounts are arguably the highest-risk group because they often set up WHM once, configure their handful of client sites, and then never revisit the security posture. Agencies on dedicated cPanel servers face a different risk — they typically have more accounts under management, which makes the blast radius of a successful auth bypass much larger. A single WHM admin token gives an attacker the ability to create accounts, modify DNS, pull cPanel credentials for all hosted users, and install backdoors at the server level.
The multi-tenant architecture of WHM is specifically what makes these installs attractive targets beyond just the software's market share. A compromised shared hosting server isn't one victim — it's dozens. Attackers can harvest email sending infrastructure for spam campaigns, pivot into client databases, or use the compromised accounts for SEO spam injection without the primary owner noticing for weeks. Reseller setups make this worse because the reseller often has less visibility into individual cPanel accounts than a sysadmin running their own dedicated stack would. If you're managing any of this infrastructure and want a broader look at the operational tooling around it, the Essential SaaS Tools for Small Business in 2026 guide covers monitoring and management tools worth integrating into your stack.
The practical defense before we get into specifics: restrict WHM ports to known IPs at the firewall level. Not optional, not "a good idea" — required if you're serious. cPanel's built-in cPHulk brute force protection does almost nothing against auth bypass PoCs because those attacks don't fail authentication — they skip it entirely. Your perimeter firewall is your actual first line of defense here, and most people running reseller accounts on VPS have never touched it.
How cPanel/WHM Auth Bypass Vulnerabilities Actually Work
The thing that surprises most developers when they first look at cPanel security research is how much attack surface comes from the sheer age of the codebase. cpsrvd — the daemon listening on ports 2082/2083 (cPanel) and 2086/2087 (WHM) — has been running variations of the same session handling logic for over two decades. That age shows in the vulnerability patterns.
The general attack class against cpsrvd involves manipulating or forging session tokens to gain unauthenticated access. Sessions in cPanel are tied to /cpsess{TOKEN}/ URL paths, where that token is validated server-side. The vulnerability isn't always "no validation exists" — it's often "the validation has an edge case when the token is malformed, oversized, or contains unexpected characters." Historically, this has included off-by-one errors in token length checks, Unicode normalization tricks, and HTTP header injection that smuggles a second request through a trusted connection. The daemon trusts too much about the shape of the incoming request before it finishes authenticating it.
CVE-2023-29489 is a clean example of how these bugs manifest in practice. The vulnerable endpoint was /cpanelwebcall/, which was accessible before authentication and reflected content from URL parameters into the response without sanitization. The reason it mattered beyond a basic XSS: because cpsrvd serves the cPanel UI directly (not through a separate web server in many configurations), a stored or reflected XSS on that daemon lets you steal session tokens that have full cPanel-level access. You're not just hijacking a user session in a CMS — you're getting a token that can manage email accounts, DNS zones, and database credentials for every account on that server. cPanel patched this in version 11.109.9999.116, but the gap between "patch released" and "hosting provider applies it" on managed servers is often measured in weeks.
WHM's API token system introduces a different attack vector. WHM admins can create API tokens with specific privilege scopes, which sounds fine in principle. The problem I've seen repeatedly in real configurations: tokens get created with all access because it's easier than reading the privilege list, then stored in application config files with world-readable permissions, or hardcoded into deploy scripts that end up in git. A leaked WHM API token can be used directly in HTTP requests — no session, no login flow, just:
GET /json-api/listaccts HTTP/1.1
Host: yourserver.com:2087
Authorization: whm root:YOUR_API_TOKEN_HERE
That request lists every cPanel account on the server with no interactive authentication. If the token has create-account or passwd scope, an attacker can create backdoor accounts or reset passwords silently.
The XML-API vs UAPI distinction matters because they represent different eras of the codebase with different security postures. UAPI (the modern interface, routed through /execute/Module/function) has better input validation and is what cPanel officially pushes developers toward now. The legacy XML-API at /xml-api/ is still fully functional on most servers and receives less active security scrutiny. Endpoints that were never fully deprecated in XML-API sometimes have looser parameter handling than their UAPI equivalents. If you're auditing a server, check whether XML-API is even accessible — many admins don't realize both are active simultaneously.
A PoC targeting the /cpsess{token}/execute/ path conceptually looks like this: an attacker first obtains a partial or expired session token through an information leak (error messages, log exposure, timing attacks on token validation), then crafts requests probing whether the token check short-circuits on malformed input:
POST /cpsessINVALIDTOKEN/execute/Email/list_pops HTTP/1.1
Host: target:2083
Content-Type: application/x-www-form-urlencoded
Cookie: cpsession=INVALIDTOKEN%00injected
# The null byte or oversized token forces a code path
# that some older cpsrvd versions didn't fully validate
# before returning data from the next handler
The null byte trick specifically is a classic from this vulnerability class — a %00 in the session path or cookie value can cause strcmp-based validation to truncate the comparison early, effectively matching against an empty string that resolves to an unauthenticated default. This isn't hypothetical: variations of this pattern appear in multiple historical cPanel CVEs. If you run cPanel, check your version against the official security advisories page and treat any server more than two patch cycles behind as actively at risk.
Reproducing the Risk: What Security Researchers Actually Test
Before anything else: everything here is about auditing infrastructure you own or have explicit written permission to test. Running these probes against someone else's server crosses into CFAA territory fast. The reason I'm walking through the actual mechanics is that you cannot defend against an attack pattern you've never seen in the wild. Reading a CVE advisory is not the same as watching what an auth bypass actually looks like in your own logs.
The fastest sanity check on any cPanel installation is throwing a session-less request at an authenticated API endpoint and seeing what comes back. This curl command does exactly that:
# -s = silent, -k = skip cert validation (for self-signed), no cookie/session header
curl -sk https://your-server:2083/cpsess0/execute/Email/list_pops
# A properly secured server returns this:
{"cpanelresult":{"error":"You do not have access to cpsess0","type":"text","data":null,"status":0}}
# A misconfigured or unpatched server hands you this:
{"cpanelresult":{"data":[{"email":"admin@yourdomain.com","login":"admin",...}],"status":1}}
That second response — actual mailbox data with no auth token — is what a successful bypass looks like. The cpsess0 segment is supposed to be a session token that cPanel validates server-side. On vulnerable builds, that validation is either skipped or trivially bypassed. Check your version immediately after running that probe:
cat /usr/local/cpanel/version
# Should output something like: 114.0.12
# Anything below the current stable release means you're carrying known CVEs
WHM pushes updates automatically if you have UPDATES=daily in /etc/cpupdate.conf, but I've seen production boxes where someone turned that off to "prevent surprises" and then forgot about it for two years. Running a version from 2022 on a public-facing box isn't a configuration choice, it's a liability.
For systematic auditing across your own infrastructure, Nuclei with the community cPanel templates gives you coverage you'd spend days replicating manually. The CVE templates are the ones that matter here:
# Install or update Nuclei templates first
nuclei -update-templates
# Run only CVE templates against your cPanel port
nuclei -u https://your-server:2083 -t cves/ -severity critical,high -o cpanel-audit-results.txt
# Narrow further to cPanel-specific templates if you want less noise
nuclei -u https://your-server:2083 -t cves/ -tags cpanel
The thing that caught me off guard the first time I ran this: Nuclei flagged endpoints I didn't even know cPanel exposed. Port 2083 is the user panel, but 2087 (WHM), 2086 (HTTP fallback for WHM), and 2082 (HTTP cPanel) are all worth scanning. A firewall rule blocking 2083 means nothing if 2082 is sitting open on the same box.
Reading the access log afterward is where you see the full picture. Grep for 200 responses on paths that should require auth:
# Location varies slightly by build but this is standard
tail -f /usr/local/cpanel/logs/access_log | grep "cpsess0"
# A legitimate authenticated request looks like:
203.0.113.45 - admin [12/Jun/2024:14:22:31 -0500] "GET /cpsess8392847123/execute/Email/list_pops HTTP/1.1" 200 842
# A bypass attempt getting rejected:
198.51.100.7 - - [12/Jun/2024:14:22:45 -0500] "GET /cpsess0/execute/Email/list_pops HTTP/1.1" 403 291
# The scary one — a bypass that SUCCEEDED before patching:
198.51.100.7 - - [12/Jun/2024:14:20:12 -0500] "GET /cpsess0/execute/Email/list_pops HTTP/1.1" 200 1847
Notice the response sizes. A 200 with 291 bytes is probably an error JSON payload. A 200 with 1847 bytes on the same endpoint? That's actual data going out the door. If you see 200s on cpsess0 (the literal string, not a real session token) in your historical logs, you had a problem — and you need to treat anything those endpoints could have exposed as compromised. Rotate credentials, audit email forwarders for exfiltration rules, and check the /usr/local/cpanel/logs/login_log for session creation events that don't correspond to known users.
The 3 Misconfigurations I See on Almost Every cPanel Server
After auditing shared hosting environments for a while, the same three mistakes show up constantly. None of them are exotic — they're all defaults that nobody changed, which is exactly what makes them dangerous. A PoC exploiting the cPanel auth bypass gets significantly more use when any of these are present.
Misconfiguration 1: WHM API Tokens With No IP Restriction
WHM API tokens with no IP allowlist are basically bearer tokens that work from anywhere on the planet. Navigate to WHM → Development → API Tokens and look at what's already there. I've seen production servers with tokens created years ago, never rotated, with "Unrestricted" showing in the IP column. The token itself never expires unless you set it to. If an attacker gets that token string — through a leaked .env file, a git repo, a compromised deploy pipeline — they call the WHM API directly:
# This works from any IP if no allowlist is set
curl -H "Authorization: whm root:YOUR_TOKEN_HERE" \
"https://your-server:2087/json-api/listaccts?api.version=1"
That returns every cPanel account on the server. From there, generating session tokens for individual accounts is a few more API calls. Fix this immediately: every token gets an IP allowlist entry, even if it's just your office IP and your CI/CD provider's egress range. The UI lets you add CIDR blocks — use them. If a token has no legitimate external use, restrict it to 127.0.0.1.
Misconfiguration 2: WHM Ports Open to 0.0.0.0/0
CSF (ConfigServer Security & Firewall) ships with WHM but it's not always active, and even when it is, the default TCP_IN list is embarrassingly permissive. Run this right now:
grep 'TCP_IN' /etc/csf/csf.conf
If you see 2086, 2087, 2082, or 2083 in that output without a corresponding csf.allow entry restricting them to known IPs, your admin interfaces are internet-accessible. Ports 2086/2087 are WHM (HTTP/HTTPS), 2082/2083 are cPanel (HTTP/HTTPS). The right answer is removing those ports from TCP_IN entirely and handling access through a VPN or an explicit allowlist in /etc/csf/csf.allow:
# In /etc/csf/csf.allow — lock WHM to your admin IPs only
203.0.113.10 # tcp|in|d=2087|s=203.0.113.10
203.0.113.11 # tcp|in|d=2087|s=203.0.113.11
Then restart CSF with csf -r. If CSF isn't installed at all, that's a different problem — yum install csf or pull it from the ConfigServer site, but block those ports before you do anything else.
Misconfiguration 3: Default TLS Cipher Suites on cpsrvd
This one surprises people because AutoSSL working correctly feels like "TLS is handled." It's not. AutoSSL manages certificate issuance via Let's Encrypt or Sectigo. It says nothing about which cipher suites cpsrvd (the cPanel service daemon) will accept. The default config in older cPanel builds allows TLS 1.0 and 1.1, and the cipher list includes RC4 and 3DES variants that have known weaknesses. A MITM on a network path to port 2083 can downgrade the session and intercept the auth cookie — which is exactly the kind of token you want if you're trying to replay a session after an auth bypass PoC.
Harden it in WHM under Service Configuration → cPanel Web Services Configuration, or push it directly:
# Check current cipher config
/usr/local/cpanel/bin/whmapi1 get_tweaksetting key=tls_version_cpanel
# Force TLS 1.2+ only via Tweak Settings API
/usr/local/cpanel/bin/whmapi1 set_tweaksetting \
key=tls_cipher_list \
value="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
The thing that caught me off guard the first time: cPanel updates can reset these cipher preferences back to defaults. Pin this to a post-update hook or check it monthly. The cpanel_version file at /usr/local/cpanel/version will tell you what build you're on — anything below 11.102 has this problem out of the box and gets significantly worse with the auth bypass surface area in play.
Hardening Your cPanel/WHM Installation Step by Step
The auth bypass PoC that circulated earlier this year made one thing painfully clear: a default cPanel/WHM installation is a target-rich environment. Most of the hardening steps below aren't exotic — they're things that should have been done on day one. If your server is already running exposed, do Step 2 and Step 3 right now before reading the rest.
Step 1 — Keep cPanel Current
cPanel ships security patches constantly, and the gap between "patch released" and "exploit in the wild" is sometimes measured in hours, not days. Run this to trigger an immediate background update:
# Trigger update now — runs in background, check /usr/local/cpanel/logs/updatelogs/ for progress
whmapi1 start_background_cpanel_update
Then lock in daily automatic updates so you're not relying on memory:
# /etc/cpupdate.conf
UPDATES=daily
CPANEL=daily
RPMUP=daily
SARULESUP=daily
The thing that trips people up: UPDATES=daily handles the cPanel tier releases, but RPMUP=daily handles the underlying system RPMs separately. Skip the second one and you've got an updated cPanel sitting on top of an unpatched glibc. I've seen this exact configuration on production boxes that "looked" updated.
Step 2 — Lock Down Management Ports at the Firewall
WHM runs on port 2087 (HTTPS) and 2086 (HTTP). There is no legitimate reason port 2086 should be reachable from the public internet — ever. CSF (ConfigServer Security & Firewall) is the standard tool here. Drop global access first, then allowlist your IP:
# Block port 2086 globally
csf -d 0.0.0.0/0 2086
# Then in /etc/csf/csf.allow, add your office/VPN CIDR:
# 203.0.113.45/32 # tcp/udp in/out 2086,2087 # office VPN egress
# Reload CSF to apply
csf -r
Do the same for port 2087 if your team always connects through a fixed IP or VPN. Yes, this means someone working from a coffee shop can't access WHM — that's the point. Set up a WireGuard or OpenVPN endpoint if you need flexibility. Exposing WHM to 0.0.0.0/0 on port 2087 is the single biggest mistake I see on shared hosting setups.
Step 3 — Enable Two-Factor Authentication
Navigate to WHM > Security Center > Two-Factor Authentication and enforce 2FA for all WHM and cPanel accounts. This single change neutralizes the majority of session hijack and credential stuffing paths. The auth bypass PoC specifically targeted session token handling — 2FA doesn't patch the underlying vulnerability, but it raises the bar high enough that automated exploitation becomes impractical at scale.
Force it for all accounts, not just root. Resellers with WHM access are a common pivot point. There's a checkbox in the Security Center to make 2FA mandatory system-wide rather than opt-in — use it.
Step 4 — Audit API Tokens Quarterly
API tokens don't expire by default and they don't require 2FA. That makes them the most dangerous credential type on your server if one gets compromised or left behind by a former team member. Run this and actually look at the output:
# Lists all API tokens with creation date and ACL set
whmapi1 api_token_list
# Revoke anything you don't recognize — use the exact token name from the list above
whmapi1 api_token_revoke token_name="old-deploy-token-2021"
I set a calendar reminder every quarter. The first time I ran this audit on a server I inherited, I found three tokens from contractors who hadn't worked with the company in over a year. None of them had been rotated. Any one of those could have been a persistent backdoor and we'd have had no way of knowing.
Step 5 — Enable ModSecurity with the OWASP Ruleset
Go to WHM > ModSecurity Tools and enable ModSecurity, then deploy the OWASP Core Rule Set (CRS). Be honest about what this gets you: ModSecurity with CRS won't stop a targeted, manual exploitation attempt against a specific cPanel vulnerability. What it will catch is the automated scanner traffic that probes for known cPanel CVEs, including the auth bypass patterns. That's still worth having because most successful attacks aren't sophisticated — they're opportunistic.
Start in detection mode, not enforcement, and watch /usr/local/apache/logs/modsec_audit.log for a week before flipping to enforcement. The OWASP ruleset throws false positives against some WordPress and Magento admin paths out of the box. Tune before you block, or you'll be getting support tickets about broken shopping carts at 2am.
Step 6 — Disable Unused cPanel Services
Every service you leave running is another potential entry point. If your users don't need webmail, go to WHM > Service Configuration > Webmail Configuration and disable Horde, Roundcube, and SquirrelMail. Each of those has its own CVE history completely separate from cPanel's core. Roundcube in particular has had several serious authenticated RCE bugs in the last two years.
# You can also toggle services via API — useful if you're scripting server provisioning
whmapi1 configureservice service=horde enabled=0
whmapi1 configureservice service=roundcube enabled=0
whmapi1 configureservice service=squirrelmail enabled=0
Same logic applies to cPAddons (Softaculous integrations you don't use), FTP if you've moved to SFTP-only, and anonymous FTP if it somehow got enabled. Run whmapi1 servicestatus to get a full list of what's currently running and go through it line by line. You'll find something you forgot was on.
Reading the Logs: How to Tell If Someone Already Probed Your Server
The thing that catches most server admins off guard isn't that they were probed — it's that the evidence was sitting in their logs for weeks before anyone looked. cPanel writes verbose logs by default, which is genuinely useful here. The problem is nobody checks them until something breaks.
Where the Relevant Logs Actually Live
For cPanel daemon (cpsrvd) activity — meaning every request to WHM, cPanel, or the API — your primary file is /usr/local/cpanel/logs/access_log. This captures authentication attempts, API calls, and every /execute/ endpoint hit. For raw auth failures at the system level, /var/log/messages is where PAM and cpsrvd both write failed login events. If you're running CSF/LFD, those get their own trail in /var/log/lfd.log, which is worth cross-referencing.
The single most useful grep I've found for detecting auth bypass probing is targeting unauthenticated API endpoint hits. A legitimate user won't be hitting /execute/ and getting 401s repeatedly — that pattern is almost always a scanner or PoC tool:
# Shows last 50 failed/forbidden hits against the UAPI execute path
# 401 = no valid session, 403 = session exists but permission denied
grep '401\|403' /usr/local/cpanel/logs/access_log | grep '/execute/' | tail -50
What you're looking for in the output: the same IP hitting multiple /execute/Email/, /execute/Mysql/, or /execute/Fileman/ endpoints in rapid succession. A human clicking around cPanel might get one 403 if they accidentally hit a restricted feature. A scanner will generate dozens within a 60-second window across different modules, because it's iterating through a list.
What Scanner Traffic Actually Looks Like
The user-agent strings are embarrassingly obvious once you've seen them. Legitimate cPanel browser sessions come from real browsers — Chrome, Firefox, Safari — with full user-agent strings. Automated scanners either send things like python-requests/2.28.0, Go-http-client/1.1, curl/7.88.1, or they spoof a browser but then blow their cover by making 40 requests per second with zero variation in timing. Pull the distinct user agents from failed auth attempts like this:
# Extract unique user agents from 401 responses to spot non-browser clients
grep ' 401 ' /usr/local/cpanel/logs/access_log | \
awk -F'"' '{print $6}' | sort | uniq -c | sort -rn | head -20
The request frequency delta is the other tell. A real cPanel session might generate 20-30 requests over a 10-minute login session. An auth bypass PoC will hammer the token validation endpoints — typically /login/?login_only=1 or the UAPI session creation path — at a rate that makes the timing pattern look like a for-loop, because it is a for-loop.
Setting Up Alerts So You Don't Have to Check Manually
Don't rely on remembering to grep logs. The simplest thing that actually works is a cron job that mails you when auth failure counts spike. This is the minimum viable alert — not fancy, but it's shipped and running:
# Add to root's crontab: crontab -e
# Runs at 6am daily, mails you if there were any cpsrvd auth failures overnight
0 6 * * * grep 'FAILED LOGIN' /var/log/messages | mail -s 'cPanel auth failures' you@yourdomain.com
If you want threshold-based alerting instead of daily dumps, count the lines first:
#!/bin/bash
# /usr/local/sbin/check_cpanel_auth.sh
FAILURES=$(grep 'FAILED LOGIN' /var/log/messages | grep "$(date '+%b %e')" | wc -l)
THRESHOLD=10
if [ "$FAILURES" -gt "$THRESHOLD" ]; then
grep 'FAILED LOGIN' /var/log/messages | grep "$(date '+%b %e')" | \
mail -s "WARNING: $FAILURES cPanel auth failures today" you@yourdomain.com
fi
Logwatch is the more complete solution if you want structured daily reports — it's usually already installed on cPanel servers. Edit /etc/logwatch/conf/logwatch.conf to set Detail = High and MailTo = you@yourdomain.com, and it'll parse the cPanel logs alongside everything else. The honest trade-off: logwatch output is verbose and you'll start ignoring it after a week. The custom threshold script above is dumber but more likely to get your actual attention.
When NOT to Rely on cPanel's Built-In Security
The auth bypass PoC that circulated for cPanel/WHM should have been a wake-up call, but the deeper issue is structural: cPanel was designed for convenience, not defense-in-depth. If you're running anything where a breach has legal consequences — PCI-DSS card processing, HIPAA-covered health data — cPanel's default configuration is not compliant out of the box. Full stop. You need a WAF sitting in front (ModSecurity with OWASP CRS at minimum, something like Cloudflare WAF or AWS WAF if you want managed rules), strict network segmentation behind it, and audit logging that actually goes somewhere external. cPanel's own logging stays on the box. If an attacker has root, those logs are gone.
Shared hosting deserves its own warning. If you don't control WHM, you have essentially no ability to remediate server-level vulnerabilities. When a new cPanel CVE drops, you're waiting on your hosting provider to patch — and historically that gap between disclosure and patch deployment runs days to weeks on budget shared hosts. Beyond that, your "neighbors" on the same physical box are strangers. Container isolation on shared cPanel is thin. I've seen PHP open_basedir bypasses get chained with a misconfigured symlink attack to read another account's wp-config.php. Assume the worst about what's running in the adjacent accounts and architect accordingly: encrypt sensitive values before they touch disk, never store API keys in flat config files, use environment variables injected at runtime where possible.
High-value targets — e-commerce stores, SaaS products storing user PII — have a real problem with cPanel's attack surface. You're not just defending your app. You're defending the control panel itself (port 2082/2083/2086/2087), the mail server, FTP, the DNS manager, and whatever plugins your host installed. Each one is a potential vector. An attacker who compromises WHM doesn't need to touch your application at all — they can just redirect DNS, swap your SSL cert, or inject code directly into your document root. If you're at the stage where you have paying customers and you're handling their data, the honest move is to look at managed Kubernetes (GKE Autopilot, EKS with Fargate) or even a straightforward VPS with proper IAM and nothing but your app running on it. The operational overhead of Kubernetes is real, but so is the blast radius reduction from not having a web-based hosting panel exposed to the internet.
Here's my honest take after years of working with both: cPanel is genuinely fine for dev/staging environments and small agency marketing sites. It's fast to set up, clients can manage their own email, and the one-click WordPress installs actually work. I still use it for low-stakes stuff. But it was never designed to be a hardened security boundary. The codebase is enormous, the attack surface reflects that size, and the default install leaves ports open and services running that you probably don't need. If you insist on keeping cPanel for a production workload that matters, at minimum do this:
- Firewall WHM to known IPs only. There's no reason port 2087 should be reachable from the public internet. Use CSF (ConfigServer Security & Firewall) and whitelist your office/VPN IPs.
- Enable two-factor authentication on all WHM/cPanel logins — this is not on by default and it's the single highest-ROI change you can make.
- Disable unused services. If you're not running a mail server, turn off Exim. FTP? Disable it, use SFTP. Each running service is a listening port that needs patching forever.
- Set up external log shipping. Push
/var/log/and cPanel access logs to something like Loki or CloudWatch Logs so a root compromise doesn't erase your forensic trail.
# Quick CSF rule to restrict WHM access to specific IPs
# Edit /etc/csf/csf.allow and add:
tcp|in|d=2087|s=YOUR.OFFICE.IP.HERE
tcp|in|d=2086|s=YOUR.OFFICE.IP.HERE
# Then restart CSF:
csf -r
# Verify WHM is no longer publicly reachable:
nmap -p 2087 YOUR_SERVER_IP # should show filtered, not open
The pattern I've seen repeatedly: teams start on cPanel because it's cheap and familiar, the site grows, the data gets more sensitive, but nobody ever revisits the infrastructure decision. The auth bypass PoC is a symptom of that. By the time a researcher publishes a working exploit against the control panel, you're already behind — because a motivated attacker has been probing it for months.
Quick Reference: cPanel Security Checklist
Bookmark this. Run through it after every cPanel/WHM upgrade, after any security advisory drops, and honestly — quarterly at minimum. The auth bypass CVEs that keep hitting cPanel (CVE-2023-29489 being a recent nasty one) almost always succeed against servers where someone checked a box once and moved on. Security posture drifts.
Before the table, here's the one-liner I run first to get a fast gut-check on the most exposed pieces:
# Run on your WHM server as root
# First part checks if security tokens are enforced (should return 1)
# Second part shows you exactly which cPanel ports CSF is exposing
whmapi1 get_tweaksetting key=security_token && csf -l | grep -E '2082|2083|2086|2087'
If that csf -l grep returns open rules for ports 2082 or 2086 (plain HTTP variants) and those boxes aren't internal-only, you already have a problem. Close them. Force everything through 2083/2087. The auth bypass PoC circulating right now specifically targets the HTTP port fallback behavior.
Check
Command / Location
Pass Condition
cPanel Version Currency
cat /usr/local/cpanel/version — cross-reference against go.cpanel.net/security
Running a CURRENT or STABLE tier build with no open CVEs against your version; anything below the current patch release of your branch should be treated as compromised-until-proven-otherwise
Exposed Port Audit
csf -l | grep -E '2082|2083|2086|2087' and ss -tlnp | grep -E '208[2367]'
2083 and 2087 open; 2082 and 2086 blocked at firewall level or bound only to 127.0.0.1
Two-Factor Authentication
WHM → Security Center → Two-Factor Authentication or whmapi1 get_tweaksetting key=require_2fa_for_all_users
Returns value: 1; enforce at account level, not just root — attackers pivot through reseller accounts constantly
API Token Audit
whmapi1 api_token_list — pipe through jq '.data.tokens[] | {name,create_time,last_used}'
No tokens older than 90 days without recent last_used activity; any token that hasn't been used in 30 days should be revoked immediately
ModSecurity Status
whmapi1 modsec_get_config or WHM → ModSecurity → Tools
Engine is On (not DetectionOnly); OWASP CRS rules loaded with at least paranoia level 2 for login endpoints
TLS Version Floor
grep -r 'SSLProtocol\|ssl_min_proto_version' /etc/apache2/conf.d/ /var/cpanel/userdata/
TLSv1.2 minimum, TLSv1.3 preferred; zero tolerance for SSLv3, TLSv1.0, TLSv1.1 — test externally with testssl.sh --protocols yourdomain.com
Security Token Enforcement
whmapi1 get_tweaksetting key=security_token
Returns value: 1; this is the CSRF protection layer — disabling it is specifically what several auth bypass PoCs exploit
Root Login Lockdown
grep 'PermitRootLogin\|AllowUsers' /etc/ssh/sshd_config
PermitRootLogin no or prohibit-password; combined with CSF's LF_SSHD brute-force detection enabled
On minimum safe versions: cPanel doesn't publish a single "safe floor" number because vulnerabilities get backported to multiple branches. The only honest answer is to check go.cpanel.net/security directly, find the advisory for whatever CVE you're worried about, and verify your exact build string appears in the "fixed in" column. I've watched people stay on 110.x thinking they were patched because they ran an update — but they were on a build that predated the hotfix by two weeks. The build timestamp matters, not just the major version.
One audit flow I find underused: dump all API tokens with creation dates, sort by age, and just delete anything you don't recognize. Hosting providers accumulate tokens from old integrations, WHMCS setups that got migrated, and plugins that were uninstalled without cleanup. A stolen or leaked API token bypasses 2FA entirely — it's one of the cleaner attack paths in the current PoC space precisely because token auth skips the normal session validation stack.
Disclaimer: This article is for informational purposes only. The views and opinions expressed are those of the author(s) and do not necessarily reflect the official policy or position of Sonic Rocket or its affiliates. Always consult with a certified professional before making any financial or technical decisions based on this content.
Originally published on techdigestor.com. Follow for more developer-focused tooling reviews and productivity guides.
Top comments (0)