Login Sign Up

CVE-2025-66429

8.8 HIGH

📋 TL;DR

A directory traversal vulnerability in cPanel's Team Manager API allows attackers to overwrite arbitrary files, potentially leading to privilege escalation to root. This affects cPanel installations versions 110 through 132. Attackers could gain complete control of affected systems.

💻 Affected Systems

Products:
  • cPanel
Versions: 110 through 132
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All cPanel installations within the affected version range are vulnerable by default.

📦 What is this software?

Cpanel by Cpanel

View all CVEs affecting Cpanel →

Cpanel by Cpanel

View all CVEs affecting Cpanel →

Cpanel by Cpanel

View all CVEs affecting Cpanel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root access, allowing data theft, service disruption, and persistent backdoor installation.

🟠

Likely Case

Privilege escalation leading to unauthorized administrative access and potential lateral movement within the hosting environment.

🟢

If Mitigated

Limited impact if proper file permissions and access controls prevent exploitation, though risk remains elevated.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to the Team Manager API, but the vulnerability is straightforward to exploit once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 133 or later

Vendor Advisory: https://docs.cpanel.net/changelogs/126-change-log/

Restart Required: Yes

Instructions:

1. Update cPanel to version 133 or later via WHM. 2. Run '/scripts/upcp --force' to complete the update. 3. Restart cPanel services.

🔧 Temporary Workarounds

Restrict Team Manager API Access

linux

Limit access to the Team Manager API to trusted IP addresses only.

iptables -A INPUT -p tcp --dport 2087 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 2087 -j DROP

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate cPanel servers from untrusted networks.
  • Monitor file modification events in critical system directories for unauthorized changes.

🔍 How to Verify

Check if Vulnerable:

Check cPanel version via WHM or run 'cat /usr/local/cpanel/version' and verify if version is between 110 and 132.

Check Version:

cat /usr/local/cpanel/version

Verify Fix Applied:

Confirm version is 133 or later with 'cat /usr/local/cpanel/version' and test Team Manager API functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file write operations in /usr/local/cpanel/logs/access_log
  • Failed or successful Team Manager API requests from unexpected sources

Network Indicators:

  • Unusual traffic to port 2087 (Team Manager API)
  • Multiple file modification requests within short timeframes

SIEM Query:

source="/usr/local/cpanel/logs/access_log" AND ("TeamManager" OR "2087") AND (status=200 OR status=403)

📊 Metadata

CVE ID: CVE-2025-66429
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
EPSS Score: 0.14% exploit probability (34.7th percentile)
Published: December 11, 2025
Last Updated: December 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66429, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)