cPanels patch was not enough to mitigate the recent CVE - still vulnrable

AnthonySmithAnthonySmith AdministratorHosting ProviderOGSenpai
in Industry News

https://x.com/infosec_au/status/2054749885258449252?s=46&t=mCHWQ0wgBvd3TSAgOi_YDA

Confirmed by cpanel on reddit: https://www.reddit.com/r/cpanel/comments/1tcs5e5/comment/olqxv48/

Shut your ports guys!!!!

TierHive - Hourly VPS - NAT Native - /24 per customer - DE, UK, SG, CA, USA x3, FR, AU, PL, NL
FREE tokens on sign up, try before you buy. | Join us on Reddit

Thanked by (2)Khalequzzaman jureve
Tagged:

Comments

  • somiksomik OG

    Glad I've stopped using cPanel ever since they increased their price for vps from $10 /m.

    If they are charging people so much money, the least they could do is properly fix security vulnerabilities...

    I speak fluent sarcasm and broken logic. | I would agree with you, but thæn we’d both be wrong.

  • AnthonySmithAnthonySmith AdministratorHosting ProviderOGSenpai

    @somik said:
    Glad I've stopped using cPanel ever since they increased their price for vps from $10 /m.

    If they are charging people so much money, the least they could do is properly fix security vulnerabilities...

    From what I understand, most of the people who actually know the product at its core are gone, after being churned through 2 (maybe 3?) venture capital companies that prioritised profit above ALL else. People just got sick and went; they have less staff working on the code base now than when cPanel was a flat $18.95 fee per month. Now we are really feeling all that value they added :disappointed:

    Not to mention in the last CVE where some of the code base was dumped, it was full of comments with emdash's in it so I think we know what has probably replaced those staff and why even security fixes are now half-baked.

    At this point, if you have your website hosted on cPanel or if you use cPanel as a webhost, you should be SERIOUSLY considering moving to DA or manual via a VPS.

    TierHive - Hourly VPS - NAT Native - /24 per customer - DE, UK, SG, CA, USA x3, FR, AU, PL, NL
    FREE tokens on sign up, try before you buy. | Join us on Reddit

  • WSSWSS OG

    @AnthonySmith said:
    At this point, if you have your website hosted on cPanel or if you use cPanel as a webhost, you should be SERIOUSLY considering moving to DA or manual via a VPS.

    CPanel has always been a half-assed hokey pile of shit that gets more shit heaped upon it. I remember rebuilding an update and it had a shell script wrapping Python code, a PHP script and for whatever fucking reason, Makefile.PL in the mix. When I first saw Plesk after dealing with CPanel, I thought I found heaven. The only better webpanel is ICDSoft's proprietary one that was so good I remember it fondly 20 years later.

    Unless you're churning out a bunch of slop sites or have to maintain a shitload of dependencies, there's no damn reason to deal with CPanel in TYOOL 2026.

    "It's a hard life- to be a stick insect." - Karl Pilkington

  • AnthonySmithAnthonySmith AdministratorHosting ProviderOGSenpai

    @WSS said: CPanel has always been a half-assed hokey pile of shit that gets more shit heaped upon it.

    Maybe, but in the early days, you did genuinely get the feeling that even if it was shit, it was their shit and they gave a shit about their shit.

    TierHive - Hourly VPS - NAT Native - /24 per customer - DE, UK, SG, CA, USA x3, FR, AU, PL, NL
    FREE tokens on sign up, try before you buy. | Join us on Reddit

  • WSSWSS OG

    @AnthonySmith said:

    @WSS said: CPanel has always been a half-assed hokey pile of shit that gets more shit heaped upon it.

    Maybe, but in the early days, you did genuinely get the feeling that even if it was shit, it was their shit and they gave a shit about their shit.

    That I won't deny. You used to be able to talk to people (generally directly/, tell them exactly what the problem was and have a patch within a couple of days.

    "It's a hard life- to be a stick insect." - Karl Pilkington

  • flipsflips OG
    edited May 14

    @WSS said:

    @AnthonySmith said:
    At this point, if you have your website hosted on cPanel or if you use cPanel as a webhost, you should be SERIOUSLY considering moving to DA or manual via a VPS.

    CPanel has always been a half-assed hokey pile of shit that gets more shit heaped upon it. I remember rebuilding an update and it had a shell script wrapping Python code, a PHP script and for whatever fucking reason, Makefile.PL in the mix. When I first saw Plesk after dealing with CPanel, I thought I found heaven. The only better webpanel is ICDSoft's proprietary one that was so good I remember it fondly 20 years later.

    Never tried Plesk. DA is ok from a user's/reseller's view, especially when they have the extras, like WP admin, Softaculous, Redis, PHP selector, JetBackup etc. When hosting myself, I found ApisCP (hello, @nem ) to be the better option.
    Just plain VPS hosting on Debian is nice in many ways, but it really depends on what kind of site(s)/software is needed.

  • WSSWSS OG

    @flips said: Just plain VPS hosting on Debian is nice in many ways, but it really depends on what kind of site(s)/software is needed.

    Yeah. That's really where 'roll your own' falls apart. I can make things work uniformly on a handful of different tools, but it is a burden when it gets over a handful of sites.

    Thanked by (1)flips

    "It's a hard life- to be a stick insect." - Karl Pilkington

  • somiksomik OG

    @AnthonySmith said: At this point, if you have your website hosted on cPanel or if you use cPanel as a webhost, you should be SERIOUSLY considering moving to DA or manual via a VPS.

    The thing with cPanel is their popularity. The clients are familiar with it and go for hosting sites that use it. So for most companies offering shared hosting, cPanel is what they need to draw in customers. Recently I see a lot of hosts offering alternative panels so hopefully the popularity of cPanel will go down in coming years...

    Well the security researchers are not the first to find these vulnerabilities. Hackers had been exploiting them for years:
    https://www.helpnetsecurity.com/2026/05/12/cpanel-vulnerability-exploited-backdoor-cve-2026-41940/

    I speak fluent sarcasm and broken logic. | I would agree with you, but thæn we’d both be wrong.

  • DasaboDasabo Hosting Provider

    @AnthonySmith said:

    @somik said:
    Glad I've stopped using cPanel ever since they increased their price for vps from $10 /m.

    If they are charging people so much money, the least they could do is properly fix security vulnerabilities...

    From what I understand, most of the people who actually know the product at its core are gone, after being churned through 2 (maybe 3?) venture capital companies that prioritised profit above ALL else. People just got sick and went; they have less staff working on the code base now than when cPanel was a flat $18.95 fee per month. Now we are really feeling all that value they added :disappointed:

    Not to mention in the last CVE where some of the code base was dumped, it was full of comments with emdash's in it so I think we know what has probably replaced those staff and why even security fixes are now half-baked.

    At this point, if you have your website hosted on cPanel or if you use cPanel as a webhost, you should be SERIOUSLY considering moving to DA or manual via a VPS.

    I totally agree with you...
    In the past few months, we've migrated all our customers who were on cPanel to a new (though not brand new) panel, Enhance. The team is based in the UK, and from what I'd read, it sounds like they worked for GoDaddy.

    Thanked by (1)AnthonySmith

    Dasabo.com: Server & Hosting Solutions 🚀 | Contact us for special offers.

  • WSSWSS OG

    @Dasabo said: The team is based in the UK, and from what I'd read, it sounds like they worked for GoDaddy.

    So you rolled out of the fireplace directly into the cistern. Interesting choice.

    "It's a hard life- to be a stick insect." - Karl Pilkington

  • DasaboDasabo Hosting Provider

    @WSS said:

    @Dasabo said: The team is based in the UK, and from what I'd read, it sounds like they worked for GoDaddy.

    So you rolled out of the fireplace directly into the cistern. Interesting choice.

    Forgive me, but I didn't understand your answer.
    What do you mean?

    Dasabo.com: Server & Hosting Solutions 🚀 | Contact us for special offers.

  • MannDudeMannDude Hosting Provider

    Makes me miss Kloxo.

    (anyone remember Kloxo?)

    Thanked by (1)imok

    [ IncogNET LLC ] - Since 2020
    [ The Internet Speech & Privacy Company ]

  • AnthonySmithAnthonySmith AdministratorHosting ProviderOGSenpai

    @MannDude said: Kloxo

    oh my god....

    Thanked by (1)MannDude

    TierHive - Hourly VPS - NAT Native - /24 per customer - DE, UK, SG, CA, USA x3, FR, AU, PL, NL
    FREE tokens on sign up, try before you buy. | Join us on Reddit

  • WSSWSS OG

    Huh. Webmin still exists.

    "It's a hard life- to be a stick insect." - Karl Pilkington

  • somiksomik OG

    @MannDude said:
    Makes me miss Kloxo.

    (anyone remember Kloxo?)

    Virtualmin. Kloxo had more bugs then features...

    I speak fluent sarcasm and broken logic. | I would agree with you, but thæn we’d both be wrong.

  • skorousskorous OGSenpai

    @WSS said:
    Huh. Webmin still exists.

    ( sigh ) I have users still using it. Or were anyway until I dropped it at the last OS refresh.

Sign In or Register to comment.

© LowEndSpirit 2026