CVE-2025-66429: Local Privilege Escalation in cPanel Due to Directory Traversal in Team Manager API

December 5, 2025 – SolidPoint security researcher Sergey Gerasimov, in collaboration with Philip Okhonko, Senior Application Engineer at FINRA, have discovered a critical security vulnerability in cPanel, the industry-leading web hosting control panel platform. The vulnerability was responsibly disclosed to cPanel and has been assigned CVE-2025-66429.

Affected Versions

cPanel versions 130.0.15 and earlier are affected. The vulnerability has been patched in version 130.0.16. For more details, see the cPanel changelog.

About cPanel

cPanel is the world's most popular web hosting control panel, powering millions of websites globally. As the industry standard for web hosting automation, cPanel provides comprehensive management tools for web hosting providers and website owners, including domain management, email configuration, file management, database administration, and security features. The platform is deployed across thousands of hosting providers worldwide, making it a critical component of internet infrastructure.

Vulnerability Discovery

The research team discovered this critical vulnerability during a collaborative security research project. The flaw allows unprivileged local users to gain root access, presenting a severe risk given cPanel's widespread use in shared hosting environments where multiple customers share the same infrastructure.

The vulnerability has been assigned a CVSS v4.0 score of 9.3 (Critical): CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H.

Given the significant impact and exposure surface, with over one million active websites relying on cPanel, the research team will withhold technical details until affected installations have had sufficient time to apply security updates.

Disclosure Timeline

The vulnerability was discovered on November 4, 2025. cPanel's security team was immediately notified and provided with comprehensive technical documentation regarding the issue. cPanel acknowledged the report and released a patched version on November 5, 2025. To reduce the likelihood of exploitation, no public information about the vulnerability was disclosed until December 1, 2025.

The research team plans to publish additional technical details at a later date, once affected organizations have had adequate time to upgrade their systems.

Credits

The vulnerability was discovered by Sergey Gerasimov of the SolidPoint security research team and Philip Okhonko, Senior Application Engineer at FINRA.