Namecheap warns cPanel critical vuln
- Namecheap said April 28 it blocked customer access to cPanel and WebHost Manager after cPanel disclosed a critical authentication flaw in all supported releases. - cPanel said unauthorized logins were occurring and shipped patched builds including 11.136.0.5 and 11.134.0.20, while Namecheap blocked ports 2083 and 2087. - The issue hit hosting control planes used to manage whole servers and customer accounts at once. (support.cpanel.net)
Namecheap said on April 28 it temporarily blocked access to cPanel and WebHost Manager after cPanel disclosed a critical login authentication flaw. (namecheap.com) (support.cpanel.net) cPanel is the web control panel many hosting customers use to manage domains, email, files and databases, while WebHost Manager controls the server itself. (runzero.com) cPanel said the bug affected all currently supported versions and that unauthorized logins were occurring to both cPanel and WebHost Manager. (support.cpanel.net) Namecheap said it responded by blocking TCP ports 2083 and 2087, which cut off cPanel and WebHost Manager access until a vendor patch was available. (namecheap.com) The company said the shutdown also disrupted Webmail, Webdisk and Secure Sockets Layer and non-SSL connections tied to those control panels. (namecheap.com) cPanel later published patched versions for six supported release tiers: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20 and 11.136.0.5. (support.cpanel.net 1) (support.cpanel.net 2) cPanel told administrators to run `/scripts/upcp` to retrieve the patched build and said older unsupported versions were likely affected too. (support.cpanel.net) If systems could not be updated immediately, cPanel said administrators should restrict access to ports 2083, 2087, 2082, 2086, 2095 and 2096, and also disable proxy subdomains. (support.cpanel.net) runZero, a security firm, said public details were still limited on April 28 and noted the issue did not yet have a Common Vulnerabilities and Exposures identifier assigned. (runzero.com) Namecheap said at 6:35 p.m. Eastern on April 28 that cPanel had released a fix and that deployment across supported servers would take another two to three hours. At 9:35 p.m. Eastern, it said implementation was still in progress. (namecheap.com) The episode briefly turned one of web hosting’s main control layers into a locked door: providers had to choose between keeping panels online and cutting access until patched. (namecheap.com) (support.cpanel.net)
