Symptoms
In cPanel v110 or later, it was found that a Team Manager API could allow a local user to escalate to root privileges. This also affected cPanel-derived systems, such as WP Squared.
Description
When using the Team Manager API, input was not being sufficiently validated. This allowed for an arbitrary file overwrite, which in turn allowed for escalation to root privileges. The exploit does not require any specific configuration of the server and is possible on a default installation. The CVE for this is CVE-2025-66429.
Workaround
A patch has already been applied, and fixed cPanel builds have been published to correct CVE-2025-66429. If your cPanel has been updated to one of the following versions or later, then no further action is needed:
- 11.132.0.4
- 11.130.0.16
- 11.126.0.37
- 11.118.0.61
- 11.110.0.80
Comments
0 comments
Article is closed for comments.