CVE-2026-32992
WebPros · cPanel and WP Squared
SSL verification is disabled in the DNS Cluster system within cPanel and WP Squared, allowing for potential man-in-the-middle attacks.
Executive summary
A critical failure in SSL certificate validation within the cPanel and WP Squared DNS Cluster system exposes communications to man-in-the-middle interception and data tampering.
Vulnerability
This is an improper certificate validation vulnerability (CWE-295) affecting the DNS Cluster system. Because the software fails to verify SSL certificates, it is susceptible to man-in-the-middle (MitM) attacks where an attacker can impersonate a DNS cluster node.
Business impact
With a CVSS score of 8.2 (High), this flaw undermines the fundamental security of DNS cluster communications. An attacker positioned in the network path could intercept or modify sensitive DNS traffic, potentially leading to unauthorized redirection of traffic or credential theft.
Remediation
Immediate Action: Apply the vendor security updates immediately to ensure proper SSL certificate validation is re-enabled across all cluster nodes.
Proactive Monitoring: Review DNS cluster communication logs for signs of connection errors or unusual traffic patterns that might indicate a MitM attempt.
Compensating Controls: Restrict DNS cluster network access to trusted internal IP ranges only, reducing the likelihood of an attacker positioning themselves for a MitM attack.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The severity of this vulnerability necessitates an immediate update. Organizations relying on cPanel or WP Squared DNS clustering must patch to ensure that all inter-node communication is properly authenticated and encrypted, preventing trivial interception by network-level attackers.