Latest News & Updates

Dear Customers,

A scheduled maintenance activity is currently ongoing on our Singapore location/server infrastructure.

During this maintenance window, some users may temporarily experience:

• Short-term downtime
• Slow loading/access delays
• Temporary cPanel/login access issues
• Intermittent website/service connectivity interruptions

Current Status

• The technical team is actively working on the maintenance and optimization process
• Services are expected to stabilize gradually once maintenance is completed

Estimated Resolution Time

• Maintenance is expected to be completed by tonight 

We appreciate your patience and understanding during this maintenance period.

Dear Customers,

A newly disclosed Linux kernel vulnerability named Dirty Frag allows Local Privilege Escalation (LPE) to root user access on vulnerable systems.

Vulnerability Information

Dirty Frag was publicly disclosed on May 7, 2026.
The vulnerability is related to the previously disclosed Copy/Fail vulnerability (CVE-2026-31431) and is considered a continuation of the Dirty Pipe exploit class (CVE-2022-0847).

The issue exists within the Linux kernel itself and may affect multiple Linux distributions.

Potential Impact

Systems running Linux kernel versions released after approximately Linux 4.14 (2017+) may be vulnerable.

Successful exploitation may allow attackers with local access to:

• Gain root-level privileges
• Modify kernel page cache memory
• Compromise binaries loaded by the kernel
• Fully compromise affected servers

Potentially Affected Operating Systems

• CloudLinux 7 Hybrid
• CloudLinux 8
• CloudLinux 9
• CloudLinux 10
• AlmaLinux 8
• AlmaLinux 9
• AlmaLinux 10
• Rocky Linux 8
• Rocky Linux 9
• Ubuntu 20.04
• Ubuntu 22.04
• Ubuntu 24.04

Current Status

At the time of publication, official upstream kernel patches are still being prepared and distributed by Linux maintainers and vendors.

Until stable patches are officially released, temporary mitigations are strongly recommended.

Temporary Mitigation

Run the following command as root user:

sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"

After that, flush kernel page cache:

echo 3 > /proc/sys/vm/drop_caches

After completing both commands, reboot the server once to ensure mitigation changes are properly applied.

Recommended Actions

• Apply temporary mitigation immediately
• Monitor official vendor advisories for stable kernel updates
• Restrict shell access for untrusted users
• Keep servers and cPanel environments fully updated
• Reboot servers after official kernel patches are installed

AquaHost Advisory

Customers using VPS or dedicated Linux environments are strongly advised to monitor this issue carefully and apply security updates immediately once officially released by their operating system vendor.

AquaHost will continue monitoring vendor advisories and security developments related to this vulnerability.

Dear Customer,

We would like to inform you that new cPanel versions have been released addressing critical security vulnerabilities related to Exim (mail service).

Affected Versions (Patched Releases):

– 11.136.0.7
– 11.134.0.23
– 11.126.0.56
– 11.118.0.64
– 11.110.0.112

Vulnerabilities Addressed:

– CVE-2026-40684
– CVE-2026-40685
– CVE-2026-40686
– CVE-2026-40687

These vulnerabilities may impact server security if not updated in time.

Action Required:

If you are using a cPanel license provided by AquaHost, you are strongly advised to update your server immediately using the following command:

VERSION=11.134.0.23; sed -i "s/^CPANEL=.*/CPANEL=$VERSION/g" /etc/cpupdate.conf ; echo "$VERSION" > /usr/local/cpanel/version ; /scripts/upcp --force

After completing the update, please run your license activation command again if required.

Recommendation:

We strongly recommend applying this update as soon as possible to ensure your server remains secure and protected.

For any assistance, please raise a support ticket

Dear Clients,

We are issuing this advisory regarding a critical security vulnerability (CVE-2026-41940) identified in cPanel & WHM. This vulnerability has been actively exploited in the wild and may allow unauthorized access to affected servers.

Official Advisory:
https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026


Incident Overview

Based on industry reports and observed cases, attackers are:

• Scanning for unpatched cPanel servers
• Gaining unauthorized access via authentication bypass
• Deploying a malicious binary (commonly named nuclear.x86)
• Executing it, removing traces, and re-running it periodically
• Performing full system reconnaissance and data access

Potential Impact

If a server was exposed or compromised, the following must be assumed at risk:

• Root/server access credentials
• SSH private keys and authorized access
• Password hashes (including system and database)
• Command history and environment data
• Website/application credentials stored on the server

Note: Website files and databases may appear intact, but hidden access or backdoors may still exist.


Immediate Actions Required

1. Update cPanel Immediately

/scripts/upcp --force

If immediate update is not possible, temporarily disable access:

whmapi1 configureservice service=cpsrvd enabled=0 monitored=0 &&
whmapi1 configureservice service=cpdavd enabled=0 monitored=0 &&
/scripts/restartsrv_cpsrvd --stop &&
/scripts/restartsrv_cpdavd --stop


2. Check for Active Malware

pkill -9 -f "nuclear.x86"
ps auxf | grep -i nuclear

Verification:

wget google.com

If the response shows “Killed”, malware may still be active.


3. Rotate All Credentials

Immediately update:

• WHM/cPanel passwords
• SSH keys (regenerate and replace everywhere)
• FTP/SFTP accounts
• Email accounts
• Database credentials
• API keys, SMTP credentials, webhooks
• CMS/admin panel logins


4. Audit for Unauthorized Access

Carefully review:

• Cron jobs
• FTP accounts
• Email forwarders
• SSH authorized keys
• Recently modified or unknown files (especially in public_html)


Important Considerations

• This is a system-level security issue, not limited to cPanel UI or license
• Even if malware is not currently detected, prior exposure may still result in compromise
• Partial cleanup may not fully eliminate hidden access mechanisms


Recommended Action

For maximum security and long-term stability:

• Perform a full OS reinstallation and fresh cPanel setup
• Restore only verified clean backups
• Apply updates and security hardening before going live


We strongly advise all clients to take this advisory seriously and act immediately to secure their servers.

Dear Customers,

We would like to inform you that cPanel version and license updates are currently being rolled out.


During this period, you may experience:

• Temporary license-related errors
• WHM/cPanel update issues
• Warning messages regarding version or license


Important:

• Your websites/services will remain unaffected
• Only cPanel/WHM functionality may be temporarily impacted


Advisory:

• Avoid running repeated WHM/cPanel updates unnecessarily
• Let the update process complete properly


Manual Fix (For Advanced Users Only):

If you are facing license/update issues, you can run the following commands via SSH (as root):

Step 1: Force update cPanel version

VERSION=11.134.0.20; sed -i "s/^CPANEL=.*/CPANEL=$VERSION/g" /etc/cpupdate.conf ; echo "$VERSION" > /usr/local/cpanel/version ; /scripts/upcp --force

Step 2: Reinstall/refresh license

bash <( curl https://api.aquahost.in/pre.sh ) cPanel; AHctLicenseCP


Note:

• Run commands only if you are familiar with server management , If you are not familiar with server management please take help from experts.
• Do not interrupt the process once started
• Allow a few minutes for changes to reflect


We appreciate your patience and understanding during this update.