5/9/2026 at 5:57:56 PM
Ages ago I used php-nuke to manage my forum and it got hacked and I thought it would get taken seriouslySeeing these CPanel hacks remind me how old these codebases are and how much more vulnerability remain
by zuzululu
5/10/2026 at 8:10:01 AM
Cpanel is Perl, not PHP. Probably the grayest of the gray beards. Perhaps not enough Perl Wizards left to maintain it nowadays.by bouncycastle
5/13/2026 at 1:30:28 AM
well, any accounts running outdated workloads (could be anything LAMP-flavored) could be attack vectors, with the entire shared machine possibly compromised by any weak account due to these latest LPEsthese cPanel machines frequently run 4- or low-5-figure quantities of customer accounts, each with potentially multiple domains or CMS deployments, and not always the most technically-engaged customer base, so that's a lot of surface area to account for: how diligent can hosts realistically be about every WordPress plugin, every Drupal or Magento module, and so on?
(nb I don't like shared hosting and am not defending it, just addressing the reality of the long tail)
by dminvs
5/9/2026 at 11:35:18 PM
Php-nuke was the hacking testing ground. Nuke was atrocious for exploitation.by doublerabbit
5/10/2026 at 12:20:02 AM
I was thinking about php-nuke I while back and it's terrible security rep. I figured it was just the regular PHP foot guns of the era, but I took a look at the code recently and boy howdy that was some truly atrocious code. I'm not security person (although perhaps security minded) and I found a million problems after a cursory glance.by jszymborski
5/9/2026 at 6:05:29 PM
I don't agree that "old" necessarily implies vulnerability.by dainiusse
5/9/2026 at 6:27:36 PM
I mostly disagree on your disagreement unless the entire project was based on top security practices and good code in the first place. The vast majority of these web panels are a security nightmare.by pixl97
5/9/2026 at 6:32:40 PM
These PHP systems be it cPanel, wordpress or PHP itself are most likely the biggest target besides windows. It's incredibly uncool stack especially here but it is running most of the "independent" small web.They cannot be that bad if they are managing to be ductape of the internet.
by omnimus
5/9/2026 at 7:16:34 PM
I've done PHP development for over 20 years, including some pretty large projects. I've never had a situation where a security flaw in PHP itself forced me to scramble to patch something before it got hacked.On the other hand, for my Linux servers, I had to do that twice in the last month with CopyFail and DirtyFrag.
by Meekro
5/9/2026 at 10:20:52 PM
CVE-2021-21703 [0] is a similar class of bug in the PHP interpreter itself that was pretty recenthttps://www.sentinelone.com/vulnerability-database/cve-2021-...
by diek
5/9/2026 at 11:41:35 PM
This is not a PHP language interpreter bug this is a PHP FPM bug.by ipaddr
5/10/2026 at 1:14:24 AM
That's a fair point, using 'interpreter' specifically was imprecise language on my part. My main point was php-fpm is developed by the core PHP team and is often the default in how PHP projects deploy these days, and that CVE was very similar to the recent 'fail' LPE vulnerabilities in the kernel.by diek
5/10/2026 at 8:43:20 PM
php-mod is so fast these daysby ipaddr
5/9/2026 at 9:12:18 PM
[dead]by ggallas
5/9/2026 at 11:51:03 PM
> They cannot be that bad if they are managing to be ductape of the internet.Oh, it very much can be that bad. Most "security" relies on the Hungry Tiger Theory of Security(tm).
My system doesn't need to be "secure". My system simply needs to be more secure than yours. As long as there is an easier and/or more valuable target somewhere, I'm "secure". I don't need to outrun the hungry tiger; I only need to outrun you outrunning the hungry tiger.
That theory, of course, doesn't hold anymore when there are enough tigers to simply eat everybody. And that's what AI did; it multiplied the tigers enough that they can just gorge on everything.
Now, people are going to have to put in "actual security" or lose real money over and over and over. And since everybody has outsourced everything, nobody knows how to fix it quickly. The lawyers are going to have a field day.
At the end, however, we'll have real security on our internet facing systems. But man, it's going to be painful for a while.
by bsder
5/9/2026 at 8:35:39 PM
Every time I venture in the the web server's error log, I see all of the skiddie's attempts at accessing the most common things with most of them being .php files. Lots of /wp/admin.php and /phpadmin/ type requests. Of course, none of those are available which is why the requests are in the error log. I've never paid attention, but I wonder how long (as in how little time) for a new server to come online before it starts to get probed by a skiddie. Whether they are just war dialing IPs or paying attention to new domain announcements but I'd put it on a few hours tops.by dylan604
5/9/2026 at 9:05:23 PM
Dismissing these as script kiddie attempts is no longer correct. This is a real industry now. It’s not like the large scale actors are going to pass up a valid unpatched vector just because it’s old hat.by hamburglar
5/10/2026 at 3:24:02 AM
They're skiddies if they're trying WordPress attacks on domains that have never hosted anything remotely close to a CMS before...by nubinetwork
5/10/2026 at 2:31:15 PM
Imagine this; ~40% of public websites run wordpress. (based on some AI-gen summary, even if fewer it is still an important percentage).So you might be spinning up a new instance with 40% probability. It makes sense in mass vulnerability explotation and detection to aim for highest success rate first.
Especially when the IPv4 space is so easy to scan nowadays. And you have services like Shodan that do just that daily.
by mhitza
5/9/2026 at 9:20:25 PM
yes, but how often otherwise would i get to use the word skiddie?by dylan604
5/9/2026 at 11:37:53 PM
22 minutes. I got my new ISP with fibre. Placed my web server online. 22 minutes my honey pot got stung.by doublerabbit
5/9/2026 at 10:12:08 PM
If you get a letsencrypt certificate it will get probed within a minuteby rstupek
5/10/2026 at 2:05:33 AM
I’ve tested this recently (this post week). Had a dns entry up and pointing to an nginx server for ~12 hours, zero requests. 17 seconds after the letsencrypt cert was issued, the floodgates opened. Over a dozen of requests per second.by jmb99
5/10/2026 at 2:28:00 AM
I don't think it's necessarily specific to LE but rather to public certificate transparency logs. LE being free and easy to automate means it's very widely used these days, but if you theoretically go to a "pay" root CA and get a cert that covers thing.com and www.thing.com , the same probing will happen on the same time scale.by walrus01
5/9/2026 at 6:45:18 PM
> They cannot be that bad if they are managing to be ductape of the internet.I think there are just a whole lot of tools written for them. So non devs can spin things up and click some things together.
Is that safe and secure? Maybe, if the devs did their work well. But I'm positive no one reads the docs on how to configure something securely.
I think the real reason is that it's very cheap to host, and always has been
by hvb2
5/9/2026 at 6:54:58 PM
cPanel is Perl.by ChocolateGod
5/9/2026 at 8:43:02 PM
Yes. Perl for core backend logic, automation, legacy systems, APIs. Some other languages used for bits and pieces.by robocat
5/9/2026 at 6:41:41 PM
How does that follow?by anamexis
5/9/2026 at 6:57:07 PM
They have a big target on their back so the low hanging fruit is (mostly) gone.by cinntaile
5/9/2026 at 9:40:25 PM
As a coder who just hit 50, trust me, it does.by tclancy
5/9/2026 at 6:17:32 PM
[flagged]by TZubiri
5/9/2026 at 7:46:51 PM
Remember 'webmin'?As someone who pretty much exclusively uses debian, freebsd and openbsd for server OS work, I was also rather surprised recently to see the default web gui that comes on a new fedora install.
by walrus01
5/10/2026 at 12:49:19 AM
I was pleasantly surprised to learn the architecture for this - a minimal backend that does a PAM auth and gives you a shell over websocket, with only your own Linux user credentials - and then everything else (from managing files to apache to VMs) is done in frontend javascript.Keeps the server-side backend minimal and auditable.
by mappu
5/9/2026 at 10:12:02 PM
Also comes default on Red Hat Enterprise Linux, Rocky Linux , AlmaLinux, Oracle Linux, and SUSE.Also walrus from old, old UBNT forum? If so, hello :)
by esseph
5/9/2026 at 8:22:12 PM
> The concept of a GUI wrapper on top of the Linux ecosystem is what's brokenThat is a nugget, it's so true.
Wrappers in general are such an issue in software. Wrappers built on top of wrappers, this desire to abstract everything away makes things look simpler, but every layer slows things down and hides what is actually happening. Every wrapper is another layer of complexity, another hoop to jump through when you're looking for a solution to a problem.
by majicDave
5/10/2026 at 4:17:32 AM
[dead]by nullsanity
5/9/2026 at 7:05:31 PM
Of course is the architecture and the creator of such a thing, isn’t the point of a tool like that for users that don’t have the tech knowledge? I have only used those systems on shared hosting, host providers are the one maintaining and should be keeping them up to date and WHM/Cpnel have plenty of customers to worry too patch holes, if they can’t then who’s fault is it, Architecture, or provider? Hope is the customers fault?by ricardonunez
5/9/2026 at 8:02:34 PM
I would worry less about big shared hosting providers, who have a strong interest in patching their stuff quickly, than the market of people who get one or two dedicated servers or KVM VMs and then install cpanel on them and for the rest of the time they use it, ignore the CLI of the servers and never patch anything. There's a lot of small users of cpanel that have just a few licenses.by walrus01
5/10/2026 at 12:44:14 PM
You misunderstood the scope and severity of the bug entirely.Yes, if you are a single tenant, this diminishes defense in depth, so an attacker that gets access with a user like www-data can escalate to root, sure.
But more importantly, on multi-tenant systems, one tenant can get root and pwn all the other tenants.
Big shared hosting providers are the most vulnerable, 'just patching' stuff might work sure, but there's several scenarios where it might not be enough, like lightning striking twice as it just happened. Or an attacker getting in before the patch.
by TZubiri
5/10/2026 at 8:37:05 PM
I understand the concept of a local privilege escalation just fine, thanks. My point was that large hosting providers are much more likely to have people paying attention to patching these things (and possibly, worst case scenario as you describe, mitigating things if someone does compromise a shared hosting system). Individual one-off cpanel instances may have nobody paying attention to security issues for months or years at a time until something totally breaks.by walrus01