Active exploitation of cPanel vulnerability CVE-2025-0012 has led to breaches of government and military servers, with attackers deploying web shells for persistent access.
Attack Vector and Vulnerability Details
A critical security vulnerability in cPanel software is being actively exploited by threat actors to breach sensitive government and military servers. The flaw, identified as CVE-2025-0012, allows unauthorized remote attackers to bypass authentication mechanisms and execute arbitrary commands on affected systems. Researchers from the National Cybersecurity Alert Team first observed exploitation attempts targeting web hosting environments run by federal agencies.
Impact and Scope
The attacks have compromised multiple high value targets, including unclassified military logistics platforms and state level administrative portals. Once attackers gain initial access, they deploy web shells to maintain persistence and tunnel further into internal networks. Security advisories urge administrators to immediately patch all cPanel installations running versions prior to 11.108.0.8. The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog.
Remediation Guidance
System administrators should prioritize updating cPanel to the latest patched release and conduct forensic audits for indicators of compromise, such as unexpected cron jobs or modified .htaccess files. Organizations hosting sensitive data on cPanel servers are advised to enable multi factor authentication and restrict administrative interface access to trusted IP addresses. Immediate review of access logs for anomalous XMLRPC requests is also recommended.
Source: Cyber Security News
