A targeted security release from cPanel was scheduled to be released on Wednesday (5/20) but was pushed out around 12 hours early due to a critical privilege escalation vulnerability that was discovered in the LiteSpeed cPanel plugin. We had already been made aware of this and uninstalled the plugin in question immediately. It remains uninstalled on all of our servers as a precaution since it is not necessary and rarely used. There were two separate updates to this plugin over a short period, both addressing critical vulnerabilities. Details of the patched cPanel vulnerabilities are not public at this time.
A second cPanel update was released just a day later (5/21) to address vulnerabilities patched in Unbound. Nginx related updates were also made available but do not impact us. We’ll continue to stay on top of these for you.