top of page
ALL POSTS
LiteSpeed and FreeBSD Privilege Escalation Flaws Under Active Exploitation (CVE-2026-54420, CVE-2026-49413)
Key Findings LiteSpeed cPanel plugin versions before 2.4.8 contain a privilege escalation flaw actively exploited in the wild Vulnerability allows low-privileged users on shared hosting to gain full root access by abusing symlink handling Flaw affects servers running CloudLinux/CageFS and scores 8.5 on CVSS scale Patch available now in cPanel plugin v2.4.8 and WHM Plugin v5.3.2.1 Attackers use distinctive pattern of certificate endpoint calls repeated 7-10 times from single I
Jun 152 min read
Active Exploitation of cPanel CVE-2026-41940 Deploys Filemanager Backdoor Across 2,000+ Attacker IPs Globally
Key Findings Critical cPanel vulnerability CVE-2026-41940 (CVSS 9.3) is being actively exploited in the wild to deploy the Filemanager backdoor Over 2,000 malicious IPs from Germany, US, Brazil, Netherlands and other regions are conducting automated attacks Threat actor Mr_Rot13 has been linked to the campaign, with evidence of operations dating back to at least 2020 Exploitation has led to cryptomining, ransomware deployment, botnet propagation, and credential theft Southeas
May 123 min read
Critical cPanel and WHM Security Update: Three New Vulnerabilities Patched to Prevent File Read, Code Execution, and Privilege Escalation
Key Findings cPanel and WHM released patches for three vulnerabilities affecting multiple versions CVE-2026-29201 allows arbitrary file read through insufficient input validation CVE-2026-29202 enables arbitrary Perl code execution for authenticated users CVE-2026-29203 exploits unsafe symlink handling for denial-of-service and potential privilege escalation No evidence of active exploitation yet, but disclosure follows recent zero-day attacks using Mirai and Sorry ransomware
May 102 min read
Critical cPanel Vulnerability Actively Exploited Against Government and MSP Infrastructure
Key Findings Unknown threat actor exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel and WHM, targeting government and military entities in Southeast Asia Attack infrastructure originating from IP address 95.111.250[.]175, primarily focusing on Philippines and Laos government and military domains Concurrent targeting of MSPs and hosting providers across Philippines, Laos, Canada, South Africa, and the United States using publicly available pro
May 43 min read
bottom of page
