cPanel vulnerability for VPS and Dedicated customers on CentOS 6

On April 28, 2026, cPanel released an emergency security update addressing a critical authentication-related vulnerability in cPanel and WHM. According to cPanel, the issue affects multiple authentication paths. ASO has confirmed that the vulnerability is actively being treated as a critical authentication-bypass exploit.

In this article, we will discuss:

• Why this matters specifically for CentOS 6
• What ASO is doing
• What you should do now
• Patched cPanel versions
• Frequently asked questions

Why this matters specifically for CentOS 6

CentOS 6 reached end of life on November 30, 2020. cPanel ended support for CentOS 6 with cPanel and WHM version 88, and current cPanel releases only run on supported distributions such as operating systems higher than CentOS 6, Alma Linux, Rocky Linux, and Ubuntu.

As a result:

• Continued operation on CentOS 6 leaves cPanel, WHM, Webmail, Web Disk, and SSL services exposed to these and other unpatched issues. Upgrading to a supported OS is the only durable remediation.

 

What ASO is doing

• Restricted login access to cPanel and WHM on some VPS and Dedicated servers running CentOS 6.
• Restricting inbound access to the following ports on affected VPS and Dedicated servers running CentOS 6 to reduce exploit exposure.
  1. cPanel: 2082 (HTTP), 2083 (HTTPS)
  2. WHM: 2086 (HTTP), 2087 (HTTPS)
  3. Webmail: 2095 (HTTP), 2096 (HTTPS)
  4. WebDisk: 2077 (HTTP), 2078 (HTTPS)
• Providing upgrade paths from CentOS 6 to a currently supported operating system.
• During this period, you may notice the following while we have the firewall rules in place:
  1. cPanel and WHM web interfaces are unreachable from the public internet.
  2. Webmail and Web Disk over standard cPanel ports may be temporarily unavailable.
  3. SSL and non-SSL connections specifically to ports 2083/2087 are blocked.
  4. Your hosted websites, databases, and email delivery (SMTP/IMAP/POP) continue to operate normally.

 

What you should do now

1. You can still log in to the server (SSH or the console in the portal).
2. Update cPanel by running /scripts/upcp as root, per cPanel documentation. If this fails, please contact ASO customer support.
3. Do not attempt to disable the firewall rules. They are in place to protect your data while a fix is coordinated.
4. Upgrade CentOS 6 to newer distros, such as operating systems higher than CentOS 6, Alma Linux, Rocky Linux, and Ubuntu.
5. Take a fresh backup of your sites, databases, and email accounts. If your server has been online and exposed in recent weeks, treat backups as a precaution rather than a recovery path.
6. Audit recent activity in /usr/local/cpanel/logs/access_log and the WHM Login History for unfamiliar IP addresses or login times.
7. Confirm SSH key-based authentication is enabled, and password authentication is disabled where possible.
8. Once upgraded to a server with a supported OS, verify your cPanel build matches one of the patched versions listed below.

 

Patched cPanel versions

After upgrading to a supported operating system, ensure your cPanel and WHM build is at or above one of the following:

• 11.110.0.97
• 11.118.0.63
• 11.126.0.54
• 11.132.0.29
• 11.134.0.20
• 11.136.0.5

You can verify your build under WHM → Server Configuration → Server Status, or by running /usr/local/cpanel/cpanel -V from the command line.

 

Frequently asked questions

Is my data still safe?

ASO has applied network-level controls to limit exposure on CentOS 6 servers. Your sites and databases remain online; only the cPanel/WHM management interfaces are temporarily restricted to prevent unauthorized access.

Why can’t ASO just patch CentOS 6?

cPanel does not produce security updates for cPanel and WHM on CentOS 6; because of this, ASO recommends upgrading to newer distros, such as operating systems higher than CentOS 6, Alma Linux, Rocky Linux, and Ubuntu.

How long will the firewall block be in place?

The block on ports 2083 and 2087 will remain until your server is upgraded to a supported operating system on a patched cPanel build.

Do I need to do anything if I’ve already upgraded off CentOS 6?

Yes, confirm your cPanel and WHM build matches one of the patched versions listed above. If automatic updates are enabled on your server, it should already be running a patched build.

How do I get off CentOS 6 onto a Patched version of cPanel?

The best way to get off CentOS 6 is by upgrading to newer distros, such as operating systems higher than CentOS 6, Alma Linux, Rocky Linux, and Ubuntu.

How do I upgrade CentOS 6?  

You can upgrade CentOS 6 to a higher operating system like CentOS 7, Alma Linux, Rocky Linux, or Ubuntu. However, this requires the server to be reimaged. VPS and Dedicated servers running cPanel do not support in-place upgrades between major CentOS versions, which means the existing server must be completely deleted and replaced with a new, clean server instance.

If you opt to upgrade to CentOS 7, please see VPS and Dedicated Hosting: CentOS 7 upgrade for steps on how to prepare your server for a CentOS 7 upgrade.