cPanel Vulnerability Incident: What Happened and What’s Been Resolved

If you found yourself locked out of cPanel, WHM, SSH, FTP, or SFTP yesterday, you weren’t imagining things — and the good news is that normal access has now been restored.

Here’s a straightforward account of what happened.

What Triggered the Lockdown

At 2:36pm AEST on 8 May, Synergy Wholesale — our web hosting provider and one of Australia’s major wholesale hosting infrastructure providers — was alerted to three critical vulnerabilities in cPanel:

• CVE-2026-29201
• CVE-2026-29202
• CVE-2026-29203

The vulnerabilities were serious enough that they could allow a malicious user to gain elevated privileges on the hosting infrastructure — in plain terms, an attacker who knew about these flaws could potentially access or take control of systems they had no business touching.

Synergy’s response was immediate and, frankly, drastic. They locked down cPanel, WHM, FTP, SFTP, SSH, and Web Disk access across their entire hosting fleet while they waited for cPanel to release a patch.

Why the Response Was So Aggressive

Synergy acknowledged in their own update that the measures were extreme. But they were also deliberate.

When a critical vulnerability is disclosed in widely-deployed infrastructure software, every hour the patch isn’t in place is an hour that the risk exists. The hosting fleet affected here runs hundreds of servers across Sydney data centres, and the potential blast radius of an exploit was significant. Cutting off administrative access is essentially locking the front door while you change the lock — it’s disruptive, but it limits the exposure window.

Given that other serious cPanel exploits had been discovered in the recent past, Synergy chose to err on the side of caution for their customers’ data rather than leave access open while they assessed severity.

How It Was Resolved

cPanel moved quickly. Patches for all three CVEs were released and Synergy applied them across the fleet, with access restored and the incident marked resolved at 4:12am AEST on 9 May — less than 14 hours after the lockdown began.

If you’re running a self-managed VPS with cPanel installed, Synergy has noted that you’ll need to apply the update yourself. Their firewall blocks have been removed for the fleet, but a self-managed VPS is your responsibility to patch.

What This Means for Businesses on Shared Hosting

If your website is hosted on Synergy-backed shared hosting — which includes a significant portion of sites managed through Australian resellers and IT providers — you don’t need to take any action. The patches have been applied at the infrastructure level, and your site data was protected throughout.

The disruption was to administrative access only. Your website remained accessible to visitors during the incident window, and email services continued normally for most users.

A Note on Incident Response

This kind of event is a useful reminder of a few things.

First, the software running underneath your website is actively maintained and occasionally has serious bugs. That’s true of cPanel, WordPress, your email server, and virtually every other piece of software in the chain. Keeping things patched — and working with providers who respond quickly when they aren’t — matters.

Second, a fast and transparent response from a provider is worth more than a quiet one. Synergy posted a public status notice within minutes of identifying the issue, gave businesses a clear explanation of what was restricted and why, and resolved the situation in under half a day. That’s how it should work.

If you have questions about how your hosting environment is configured or whether your systems are on top of their patch cycles, get in touch with the Carter Tech team.