On April 28, 2026, cPanel released an emergency security update addressing a critical vulnerability affecting cPanel and WHM. The issue involves multiple authentication paths and may allow authentication bypass under specific conditions. DIGITAL PACIFIC has confirmed that this vulnerability is being treated as a high-severity security concern due to its potential impact on affected systems.
This article provides an overview of the issue, including its relevance to CentOS 6 environments, the actions being taken by DIGITAL PACIFIC, and the recommended steps customers should follow.
Why this matters specifically for CentOS 6
CentOS 6 reached the end of life on November 30, 2020, and no longer receives security updates or vendor support. cPanel officially discontinued support for CentOS 6 starting with cPanel & WHM version 88, and modern cPanel releases are only supported on current operating systems such as AlmaLinux, Rocky Linux, and Ubuntu.
As a result:
- Systems still running CentOS 6 are unable to receive security fixes for both the operating system and compatible cPanel components.
- Key services such as cPanel, WHM, Webmail, Web Disk, and SSL-related functions may remain exposed to known and newly discovered vulnerabilities.
- The only long-term resolution is migrating to a currently supported operating system to ensure continued security updates and vendor support.
What DIGITAL PACIFIC is doing
- Restricting login access to cPanel and WHM on selected VPS and Dedicated servers running CentOS 6 to reduce potential exposure to the vulnerability.
- Restricting access on commonly used cPanel service ports on affected CentOS 6 servers, including:
- cPanel: 2082 (HTTP), 2083 (HTTPS)
- WHM: 2086 (HTTP), 2087 (HTTPS)
- Webmail: 2095 (HTTP), 2096 (HTTPS)
- WebDisk: 2077 (HTTP), 2078 (HTTPS)
- Providing migration and upgrade options from CentOS 6 to currently supported operating systems.
- During this period, you may notice the following while we have the firewall rules in place:
- cPanel and WHM web interfaces are unreachable from the public internet.
- Webmail and Web Disk over standard cPanel ports may be temporarily unavailable.
- SSL and non-SSL connections specifically to ports 2083/2087 are blocked.
- Your hosted websites, databases, and email delivery (SMTP/IMAP/POP) continue to operate normally.
What you should do now
- You can still log in to the server (SSH or the console in the portal).
- Update cPanel by running /scripts/upcp as root, per cPanel documentation. If this fails, please contact DIGITAL PACIFIC customer support.
- Do not attempt to disable the firewall rules. They are in place to protect your data while a fix is coordinated.
- Upgrade CentOS 6 to newer distros, such as operating systems higher than CentOS 6, Alma Linux, Rocky Linux, and Ubuntu.
- Take a fresh backup of your sites, databases, and email accounts. If your server has been online and exposed in recent weeks, treat backups as a precaution rather than a recovery path.
- Audit recent activity in /usr/local/cpanel/logs/access_log and the WHM Login History for unfamiliar IP addresses or login times.
- Confirm SSH key-based authentication is enabled, and password authentication is disabled where possible.
- Once upgraded to a server with a supported OS, verify your cPanel build matches one of the patched versions listed below.
Patched cPanel versions
After upgrading to a supported operating system, ensure your cPanel and WHM build is at or above one of the following:
You can verify your build under WHM → Server Configuration → Server Status, or by running /usr/local/cpanel/cpanel -V from the command line.
Frequently asked questions
Is my data still safe?
DIGITAL PACIFIC has applied network-level controls to limit exposure on CentOS 6 servers. Your sites and databases remain online; only the cPanel/WHM management interfaces are temporarily restricted to prevent unauthorized access.
Why can’t DIGITAL PACIFIC just patch CentOS 6?
cPanel does not produce security updates for cPanel and WHM on CentOS 6; because of this, DIGITAL PACIFIC recommends upgrading to newer distros, such as operating systems higher than CentOS 6, Alma Linux, Rocky Linux, and Ubuntu.
How long will the firewall block be in place?
The block on ports 2083 and 2087 will remain until your server is upgraded to a supported operating system on a patched cPanel build.
Do I need to do anything if I’ve already upgraded off CentOS 6?
Yes, confirm your cPanel and WHM build matches one of the patched versions listed above. If automatic updates are enabled on your server, it should already be running a patched build.
How do I get off CentOS 6 onto a Patched version of cPanel?
The best way to get off CentOS 6 is by upgrading to newer distros, such as operating systems higher than CentOS 6, Alma Linux, Rocky Linux, and Ubuntu.
How do I upgrade CentOS 6?
You can upgrade CentOS 6 to a higher operating system like CentOS 7, Alma Linux, Rocky Linux, or Ubuntu. However, this requires the server to be reimaged. VPS and Dedicated servers running cPanel do not support in-place upgrades between major CentOS versions, which means the existing server must be completely deleted and replaced with a new, clean server instance.
If you opt to upgrade to CentOS 7, you may contact our Customer Support or Sales Team.
