
A newly disclosed zero-day in CyberPanel — one of the most widely deployed open-source hosting control panels — allows any authenticated user, even one with the lowest possible privilege level, to escalate straight to root on the underlying server. There is no patch, no CVE, and as of publication, no confirmation that the vendor has even been notified.
The flaw was uncovered through an independent source-code audit of CyberPanel's GitHub repository and confirmed against a fresh 2.4.x install on Ubuntu 22.04. The only requirement for exploitation is owning a single website on the panel — the bare minimum access tier any hosting customer would have.
That detail is what makes this so dangerous for shared hosting environments in particular. A single malicious or compromised tenant account doesn't just risk their own site — it risks every other customer on the same box: other people's databases, email, SSH keys, and credentials.
According to the researcher's write-up, the underlying issue traces back to how CyberPanel handles certain internal request parameters, combined with insufficiently restricted file-write operations carried out by a root-level backend process. Chained together, the two issues let a low-privilege account plant code that executes with full root privileges the next time any routine system process runs — something that happens on virtually every server within seconds, via cron or standard system maintenance tasks.
Security researchers are withholding proof-of-concept and exploit-chain details while disclosure is pending, given the absence of a fix.
For CyberPanel administrators, the priority right now is damage control rather than waiting on a patch. Recommended steps include restricting panel access to trusted accounts only, taking admin interfaces off the public internet where possible, auditing cron jobs and system configuration files for unauthorized changes, and watching for unexpected root-level processes.
This story will be updated as CyberPanel responds and a fix becomes available. If you manage CyberPanel infrastructure, treat this as urgent — and don't wait for a CVE number to act.