Login Sign Up

CVE-2020-26108

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2020-26108 is a critical file-extension dispatching vulnerability in cPanel that allows remote attackers to execute arbitrary code. This affects cPanel web hosting control panel installations, potentially compromising entire hosting servers and all hosted websites. Attackers can exploit this to gain full control of affected systems.

💻 Affected Systems

Products:
  • cPanel
Versions: All versions before 88.0.13
Operating Systems: Linux (cPanel's primary platform)
Default Config Vulnerable: ⚠️ Yes
Notes: All standard cPanel installations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Cpanel by Cpanel

View all CVEs affecting Cpanel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, ransomware deployment, lateral movement to other systems, and persistent backdoor installation.

🟠

Likely Case

Attackers gain shell access to the cPanel server, allowing them to modify websites, steal sensitive data, and use the server for further attacks.

🟢

If Mitigated

Limited impact with proper network segmentation, but still significant risk to the cPanel instance itself.

🌐 Internet-Facing: HIGH - cPanel is typically internet-facing and this vulnerability allows unauthenticated remote code execution.
🏢 Internal Only: MEDIUM - Even internally accessible cPanel instances are at risk from internal threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code. Attackers can easily automate attacks against vulnerable systems.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 88.0.13 and later

Vendor Advisory: https://docs.cpanel.net/changelogs/88-change-log/

Restart Required: No

Instructions:

1. Log into WHM as root. 2. Navigate to 'Update cPanel & WHM'. 3. Click 'Update to Latest Version'. 4. Alternatively, run: /usr/local/cpanel/scripts/upcp --force

🔧 Temporary Workarounds

Temporary access restriction

linux

Restrict access to cPanel/WHM to trusted IP addresses only

iptables -A INPUT -p tcp --dport 2083 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 2083 -j DROP

🧯 If You Can't Patch

  • Immediately restrict network access to cPanel/WHM ports (2083, 2087, 2086) to only trusted IP addresses
  • Implement web application firewall rules to block suspicious file extension requests

🔍 How to Verify

Check if Vulnerable:

Check cPanel version: /usr/local/cpanel/cpanel -V | grep '^88\.' and verify it's below 88.0.13

Check Version:

/usr/local/cpanel/cpanel -V

Verify Fix Applied:

Verify version is 88.0.13 or higher: /usr/local/cpanel/cpanel -V

📡 Detection & Monitoring

Log Indicators:

  • Unusual file extension requests in cPanel logs
  • Suspicious process execution from web user context
  • Unexpected file uploads or modifications

Network Indicators:

  • Exploitation attempts targeting cPanel ports with unusual file extensions
  • Outbound connections from cPanel server to unknown IPs

SIEM Query:

source="cpanel.log" AND ("unusual_extension" OR "file_upload" OR "execution")

📊 Metadata

CVE ID: CVE-2020-26108
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: September 25, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON