ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-32992 — Disabled SSL Verification in cPanel DNS Cluster Enables Credential Interception

A short review of CVE-2026-32992, a high severity improper certificate validation flaw in cPanel and WHM's DNS Cluster system that could allow credential theft via man in the middle attacks. Includes patch details across all affected branches.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-13

Brief Summary: CVE-2026-32992 — Disabled SSL Verification in cPanel DNS Cluster Enables Credential Interception
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Disabled SSL verification in cPanel's DNS Cluster system means that every zone synchronization request between cluster nodes was susceptible to credential interception by anyone with a network position between them. For hosting providers running cPanel and WHM, which collectively power infrastructure behind 60 million domains and 27 million users worldwide, this flaw (CVE-2026-32992, CVSS 8.2) quietly undermined the trust model that keeps DNS cluster communications secure.

Technical Information

Root Cause: Improper Certificate Validation (CWE-295)

The vulnerability falls under CWE-295, Improper Certificate Validation. When a product does not validate or incorrectly validates a certificate, it compromises the integrity and authentication of the connection. In this case, SSL verification was not fully enforced in the DNS Cluster system's outbound requests.

A DNS cluster in cPanel is a group of nameservers that share records, allowing administrators to physically separate nameservers that handle DNS requests from the web servers hosting content. In a typical deployment, changes to DNS are made on the WHM web server and are automatically propagated out to DNSOnly servers, which serve as the authoritative nameservers for all domains on the web servers. This synchronization requires authenticated communication between nodes.

Because SSL verification was disabled, the requesting server would accept any certificate presented by the remote endpoint, including a fraudulent one. The product might connect to a malicious host while believing it is a trusted host, or it might be deceived into accepting spoofed data that appears to originate from a trusted host. This breaks the secure boundary between cluster nodes and exposes the administrative credentials used for synchronization.

Attack Flow

An attacker would exploit this vulnerability through the following sequence:

  1. Gain a network position between two DNS Cluster nodes. This could be achieved via ARP spoofing on a shared network segment, BGP hijacking, or compromise of an intermediate routing device. Shared hosting environments or cloud deployments where multiple tenants share network infrastructure are particularly relevant.

  2. Intercept the TLS handshake. When the WHM server initiates a synchronization request to a DNSOnly node, the attacker intercepts the connection and presents their own certificate.

  3. Exploit the missing validation. Because SSL verification is disabled, the WHM server accepts the fraudulent certificate without checking the certificate chain, common name, or any other trust indicator. The TLS session is established with the attacker's endpoint.

  4. Capture credentials. The WHM server transmits the synchronization request, including authentication credentials, to what it believes is the legitimate DNSOnly node. The attacker captures these credentials in plaintext (from their perspective as the TLS termination point).

  5. Leverage captured credentials. With valid cluster credentials, the attacker can authenticate directly to DNS Cluster nodes, potentially manipulating DNS zones, redirecting traffic, or pivoting further into the hosting infrastructure.

The severity of this attack scales with the network topology. Clusters where nodes communicate across untrusted network segments (different data centers, cloud regions, or providers) face the highest risk.

Patch Information

cPanel released patches on May 13, 2026, addressing the improper SSL certificate validation within the DNS Cluster subsystem. The fix re-enables and properly enforces SSL/TLS certificate verification on all DNS Cluster communications, ensuring that the system validates the remote server's certificate chain before transmitting sensitive data. This closes the window for credential interception via rogue or compromised intermediate servers.

The patch was coordinated through HackerOne (the CNA for this CVE) and released simultaneously across all supported cPanel and WHM branches, indicating it was a relatively contained code change specifically targeting the TLS configuration in the DNS Cluster request pipeline rather than a broader architectural rework.

Patched cPanel and WHM versions (update to any of these or later):

BranchFirst Patched Version
12611.126.0.59
13011.130.0.23
13211.132.0.32
13411.134.0.26
13611.136.0.10

For WP Squared users, the fix ships in version 11.136.1.12 and higher.

All subsequent releases on every branch also include the fix. To apply the patch, administrators should force an update:

# /scripts/upcp --force

After the update completes, confirm the installed version:

# /usr/local/cpanel/cpanel -V

Both web servers and DNSOnly nodes in the cluster must be updated. Leaving any single node unpatched maintains a vulnerable link in the cluster. Detailed changelogs for each branch are available at the cPanel changelog page.

Operational Checklist

  1. Identify all servers running cPanel, WHM, WP Squared, and cPanel DNSOnly.
  2. Execute the forced update script on all identified nodes.
  3. Capture and log the version output from every server to confirm the fleet meets the minimum patched versions listed above.
  4. Monitor network logs for any anomalous inter-server communication that might indicate attempted spoofing prior to the patch application.

Affected Systems and Versions

The vulnerability impacts all cPanel and WHM installations from version 126 onward that have not been updated to the patched releases:

ProductVulnerable VersionsMinimum Patched Version
cPanel and WHMBranch 126 (prior to 11.126.0.59)11.126.0.59
cPanel and WHMBranch 130 (prior to 11.130.0.23)11.130.0.23
cPanel and WHMBranch 132 (prior to 11.132.0.32)11.132.0.32
cPanel and WHMBranch 134 (prior to 11.134.0.26)11.134.0.26
cPanel and WHMBranch 136 (prior to 11.136.0.10)11.136.0.10
WP SquaredBranch 136 (prior to 11.136.1.12)11.136.1.12

Any server configured to participate in a DNS Cluster is affected. Standalone cPanel installations that do not use DNS Cluster functionality are not directly exposed to this specific attack vector, though updating remains advisable as a defense in depth measure.

Vendor Security History

The cPanel ecosystem has seen other critical vulnerabilities in recent months. In April 2026, CVE-2026-41940 was disclosed: a severe authentication bypass vulnerability affecting all cPanel and WHM versions after 11.40. This pattern of high severity findings in core authentication and trust mechanisms suggests that security researchers are actively auditing cPanel's infrastructure components.

cPanel has demonstrated responsiveness by releasing coordinated patches across five different version branches simultaneously and providing clear, actionable update instructions. The May 13, 2026 release addressed five CVEs in total, indicating an active maintenance and discovery cadence.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization