cPanel & WHM Patch 3 Critical Vulnerabilities – Update Now

cPanel Inc. has pushed a critical set of patches for its flagship hosting control panel software, addressing three distinct security flaws in both cPanel and the accompanying Web Host Manager (WHM) interface. The updates, shipped in cPanel & WHM version 11.102.0.2, resolve vulnerabilities that, if left unfixed, could enable a low‑privileged account holder to escalate to root, execute arbitrary code on the host, or render the service unavailable through a denial‑of‑service condition.

Security researchers from Qualys disclosed the issues, assigning them CVE‑2023‑4482, CVE‑2023‑4483, and CVE‑2023‑4484. CVE‑2023‑4482 resides in the cPanel file‑manager plug‑in, where insufficient sanitisation of uploaded file names allows an authenticated user to inject OS commands via a specially crafted filename, leading to arbitrary code execution with the privileges of the cPanel service account. CVE‑2023‑4483 is a privilege‑escalation flaw in the WHM API endpoint /json-api/passwd, where an improper access‑control check permits an authenticated reseller to overwrite the root password file, effectively granting full root access. CVE‑2023‑4484 is a resource‑exhaustion bug in the SSL/TLS wizard of cPanel, where a malformed certificate request triggers an infinite loop, causing the web service to consume all available CPU and memory, resulting in a DoS. CVSS v3.1 scores for the three CVEs are 9.8 (Critical), 8.1 (High), and 7.5 (High) respectively.

Administrators are urged to update to cPanel & WHM 11.102.0.2 or later immediately. The patches can be applied via the automated update mechanism (/usr/local/cpanel/scripts/upcp) or by downloading the packages from the official cPanel download portal. After applying the update, a restart of the cPanel and httpd services is required to load the corrected binaries. Additionally, operators should review user‑role assignments in WHM, disable the affected API routes if immediate patching is not feasible, and monitor for unusual commands in the cPanel audit logs that could indicate exploitation attempts.

Although there is no evidence of active exploitation in the wild at press time, the public disclosure of the CVEs raises the risk of rapid weaponisation, especially given the popularity of cPanel in shared‑hosting environments. The cPanel security team acknowledged the findings and released the patches within the standard 30‑day disclosure window. Organizations that cannot patch right away should consider implementing web‑application firewalls or restricting API access to trusted IP ranges to mitigate the risk of privilege escalation and code‑execution attacks.