Case SEC-70235: Fix CVE-2025-66429
- Case SEC-70235: Fix CVE-2025-66429 - Local privilege escalation vulnerability due to directory traversal in Team Manager API.
- CVSS Score: 9.3
- CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
- Reporters: Philip Okhonko, Sergey Gerasimov of SolidLab LLC
we can not upgrade yet (planned in 2/3 month, we are on cloudlinux). how to mitigate this? disable the api or other ways?
we do not use and do not need the "Manage Team" feature.
"The exploit does not require any specific configuration of the server and is possible on a default installation. "
We are grateful for any tips.
many thanks.
-
Hey there! As Manage Team is built into the cPanel core functions, the only way to mitigate this is to update the machine.
0 -
sure, but we do not need it. can you say what file was modified? so we can manually disable it or add the mitigation to the file.
we do not need manage team. also in cpanel 110 this is beta.we can not upgrade yet, sadly.
0 -
There isn't a way to do that - it's part of the cPanel code, across multiple files.
0 -
Thanks for answer.
But do you have a changelog which files are modified by the update?Can you describe the issue in more detail.
Due it is a privilege escalation and we do not have any local user with ssh/shell access, are we "safe"?Also we use cloudlinux with cagefs.
Please please give us any info. All would help. It is not possible to upgrade yet.
Many thanks.
0 -
We never list which files are modified in any changelog, as that could end up being an incredibly long list.
If you aren't using the Manage Team feature you wouldn't have anything to worry about.
0 -
Thanks. But:
"The exploit does not require any specific configuration of the server and is possible on a default installation. "
We have no user with SSH-Access (so no local user). So we are not affacted. Am we right?
Also we are on Cloudlinux with CageFS.
So any additional information about the CVE-2025-66429 would help.
we see that the File /usr/local/cpanel/Cpanel/Admin/Modules/Cpanel/user.pm was moddified within the 110.0.80. So if we put the changes to this file, would it mitigates the critical issue?
f.e there is a new line with:
die if $username =~ /\.\./;
So this seems to be a "directory traversal" mitigation.many many thanks for any information.
0 -
What version of cPanel are you currently running? You said you won't be able to update for 2 to 3 months. But if you are at least running any of the folllowing:
- 11.132.0.4
- 11.130.0.16
- 11.126.0.37
- 11.118.0.61
- 11.110.0.80
Then your version is already patched. Additionally, if you don't have any SSH users, you should also be good and you can disable Team Manager (in Feature Manager) if enabled.
0 -
Many thanks.
We use 11.110.0.50 , last version because of CloudLinux6 , so Cpanel on Cloudlinux6 won't upgrade since 2025-01-15).
This is our last "old" Server. All other cpanel Servers are on Cloudlinux7 and 9.(110.0.51 2025-01-15 Fixed case RE-1030: Mark CloudLinux 6 as no longer supported.)
In our 110 on this server there is no Team Manager Option in the Feature Manager.
0 -
It's odd to be that you're still running CloudLinux 6 but worried about security exploits. You desperately need to get this machine updated, and this Team Manager situation is the least of your worries.
0 -
thanks. Sure we know. we use it with ELS and we do manual upgrade and CL6 ELS gets critical updates too.
we know and we do upgrades in 2/3 month (due cpanel and centos/cl) we have to migrate it. there is no "inline" upgrade.
but the Team Manager Issue is our wories because it runs cpanel and we can not patch it. so we do need all inforamtion we get to fix is manally may by disable / delete the features / functions.we only have one cloudlinus6 machine, all the others are on cl7 and cl8 or ubuntu 22/24. it is our last server and we working hard to upgrade, but there are different problems due the special customers on it. so we do lot of manual work on it.
0 -
Hello,
In version 11.110.0.50, Team Manager was still experimental and off/not installed by default.
In order to use it, you had to create a specific touch file. Since you don't have Team Manager, you should have nothing to worry about in regard to this security issue.
0 -
many many thanks for the clarification.
0
Please sign in to leave a comment.
Comments
12 comments