Overview

In a recent security advisory, WebPros (the company behind cPanel and WebHost Manager) announced a critical authentication vulnerability affecting all currently supported versions of cPanel and WHM. This flaw allows an attacker to bypass authentication and gain unauthorized access to the control panel. While no official CVE identifier has been assigned, the risk is immediate and severe. System administrators must update their servers without delay to close this attack vector. This guide provides a detailed walkthrough to patch your installation, covering prerequisites, step-by-step update instructions, common pitfalls, and a summary of recommended follow-up actions.

Prerequisites

Before you begin, ensure you have the following in place:

• Root or sudo access to the cPanel server via SSH.
• A current backup of your cPanel configuration and user data. While updates are generally safe, unexpected errors can occur.
• Familiarity with command-line operations (e.g., navigating files, executing commands with yum or dnf).
• A stable internet connection to download update packages.
• Optionally, a testing or staging environment to validate the upgrade before applying to production.

Step-by-Step Update Instructions

1. Check Your Current cPanel/WHM Version

First, log in to your server via SSH and determine the installed version. This helps confirm whether your installation is affected and ensures you apply the correct patch.

/usr/local/cpanel/cpanel -V

The output shows the version number, e.g., 11.108.0.10. Compare it against the advisory from WebPros: all supported versions before the patch are vulnerable. If your version is outdated, proceed immediately.

2. Update cPanel Using the Command Line

cPanel provides a built-in updater script. Run the following command as root:

/scripts/upcp

This will check for available updates, download, and apply them. The process can take several minutes. Do not interrupt it. If you have multiple cPanel servers, consider using a central update management tool or applying updates in a rolling fashion.

Alternatively, you can force an update to the latest edge or release tier:

cd /scripts && ./upcp --force

After completion, verify the new version:

/usr/local/cpanel/cpanel -V

The version number should now reflect the patched release (e.g., 11.108.0.18 or higher, depending on the patch date).

3. Update WHM Alongside cPanel

WHM is bundled with cPanel and updates together during the upcp process. However, you can also update WHM independently if needed:

/usr/local/cpanel/whostmgr/bin/update_whm

This is rarely necessary—the main upcp script handles both components. Use it only if you encounter WHM-specific errors post-update.

4. Verify That the Authentication Fix Is Applied

cPanel does not provide a dedicated command to verify the specific vulnerability fix. However, you can check the changelog or release notes to ensure the correction is included:

cat /usr/local/cpanel/version/cpanel-release-notes | grep -i 'auth'

Alternatively, review the official cPanel forum or WebPros security page for confirmation that the update addresses the authentication flaw.

5. Post-Update Health Check

After updating, run a quick health check:

• Access WHM via https://your-server-ip:2087 and log in.
• Navigate to Home > Server Status > Services Status and ensure all services are running.
• Test a few core functions: create a test account, check email, and verify FTP/SFTP access.
• Monitor system logs for any errors: tail -f /var/log/messages for a few minutes.

Common Mistakes to Avoid

When patching this vulnerability, administrators often overlook critical steps. Here are the most frequent errors:

• Skipping backups: Always back up before an update. In rare cases, a failed upgrade can corrupt system files, and a fresh restore might be faster than debugging.
• Not verifying the update: After running /scripts/upcp, always check the version. A small subset of servers may have custom repositories or lock files that prevent the update from applying.
• Ignoring WHM updates: Although upcp updates WHM, some administrators mistakenly only update cPanel via the GUI and forget that WHM also needs the patch. The command-line approach covers both.
• Applying updates during peak hours: While the update itself is quick, service restarts may cause brief downtime. Plan for a maintenance window.
• Assuming the fix is only for one component: The vulnerability affects both cPanel and WHM authentication paths. Even if you only use cPanel, you must update both.
• Neglecting to update third-party plugins or integrations: Some authentication mechanisms (e.g., LDAP, OAuth) may be affected. After the main update, re-check any custom authentication modules.

Summary

The authentication vulnerability in cPanel and WHM is a critical security issue that demands immediate action. By following the steps outlined above—checking your current version, running /scripts/upcp to update, verifying the patch, and performing a health check—you can protect your server from unauthorized access. Remember to take backups before any update and to test your setup afterwards. For ongoing security, subscribe to the cPanel security announcements feed and enable automatic updates if your environment allows. A proactive approach keeps your server safe and reduces the risk of data breaches.