cPanel EasyApache4 update for Apache HTTP Server
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 8 |
| CVE-ID | CVE-2025-53020 CVE-2025-49812 CVE-2025-49630 CVE-2025-23048 CVE-2024-47252 CVE-2024-43394 CVE-2024-43204 CVE-2024-42516 |
| CWE-ID | CWE-399 CWE-310 CWE-254 CWE-116 CWE-918 CWE-113 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
EasyApache Server applications / Other server solutions |
| Vendor | cPanel, Inc |
Security Bulletin
This security bulletin contains information about 8 vulnerabilities.
1) Resource management error
EUVDB-ID: #VU112727
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-53020
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the server when handling HTTP/2 requests. A remote attacker can send multiple requests to the server and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsEasyApache: 4 25-1 - 4 25-23
CPE2.3- cpe:2.3:a:cpanel:easyapache:4:25-1:*:*:*:*:*:*
- cpe:2.3:a:cpanel:easyapache:4:25-2:*:*:*:*:*:*
- cpe:2.3:a:cpanel:easyapache:4:25-3:*:*:*:*:*:*
https://news.cpanel.com/easyapache4-v25-24-security-release/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Cryptographic issues
EUVDB-ID: #VU112728
Risk: Medium
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-49812
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to he way certain mod_ssl configurations handle TLS upgrades. A remote attacker can launch an HTTP desynchronisation attack, which allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.
Note, only configurations using "SSLEngine optional" to enable TLS upgrades are affected.
MitigationInstall update from vendor's website.
Vulnerable software versionsEasyApache: 4 25-1 - 4 25-23
CPE2.3- cpe:2.3:a:cpanel:easyapache:4:25-1:*:*:*:*:*:*
- cpe:2.3:a:cpanel:easyapache:4:25-2:*:*:*:*:*:*
- cpe:2.3:a:cpanel:easyapache:4:25-3:*:*:*:*:*:*
https://news.cpanel.com/easyapache4-v25-24-security-release/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Resource management error
EUVDB-ID: #VU112729
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-49630
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources in mod_proxy_http2. A remote attacker can send specially crafted requests to the server and perform a denial of service (DoS) attack.
Successful exploitation of the vulnerability requires that the reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".
MitigationInstall update from vendor's website.
Vulnerable software versionsEasyApache: 4 25-1 - 4 25-23
CPE2.3- cpe:2.3:a:cpanel:easyapache:4:25-1:*:*:*:*:*:*
- cpe:2.3:a:cpanel:easyapache:4:25-2:*:*:*:*:*:*
- cpe:2.3:a:cpanel:easyapache:4:25-3:*:*:*:*:*:*
https://news.cpanel.com/easyapache4-v25-24-security-release/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Security features bypass
EUVDB-ID: #VU112730
Risk: Medium
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-23048
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to access control bypass with session resumption in mod_ssl. A remote attacker can use the TLS 1.3 session resumption to bypass implemented access control.
Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.
MitigationInstall update from vendor's website.
Vulnerable software versionsEasyApache: 4 25-1 - 4 25-23
CPE2.3- cpe:2.3:a:cpanel:easyapache:4:25-1:*:*:*:*:*:*
- cpe:2.3:a:cpanel:easyapache:4:25-2:*:*:*:*:*:*
- cpe:2.3:a:cpanel:easyapache:4:25-3:*:*:*:*:*:*
https://news.cpanel.com/easyapache4-v25-24-security-release/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper Encoding or Escaping of Output
EUVDB-ID: #VU112731
Risk: High
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-47252
CWE-ID:
CWE-116 - Improper Encoding or Escaping of Output
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to manipulate data in log files.
The vulnerability exists due to improper input validation in mod_ssl. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files. A remote attacker can manipulate contents of log files.
MitigationInstall update from vendor's website.
Vulnerable software versionsEasyApache: 4 25-1 - 4 25-23
CPE2.3- cpe:2.3:a:cpanel:easyapache:4:25-1:*:*:*:*:*:*
- cpe:2.3:a:cpanel:easyapache:4:25-2:*:*:*:*:*:*
- cpe:2.3:a:cpanel:easyapache:4:25-3:*:*:*:*:*:*
https://news.cpanel.com/easyapache4-v25-24-security-release/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Server-Side Request Forgery (SSRF)
EUVDB-ID: #VU112732
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-43394
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input when handling UNC paths on Windows. A remote attacker can trick the application into initiating requests to arbitrary systems and potentially leak NTLM hashes to a malicious server via mod_rewrite or apache expressions that pass unvalidated request input.
Note, the vulnerability affects Windows installations only.
Install update from vendor's website.
Vulnerable software versionsEasyApache: 4 25-1 - 4 25-23
CPE2.3- cpe:2.3:a:cpanel:easyapache:4:25-1:*:*:*:*:*:*
- cpe:2.3:a:cpanel:easyapache:4:25-2:*:*:*:*:*:*
- cpe:2.3:a:cpanel:easyapache:4:25-3:*:*:*:*:*:*
https://news.cpanel.com/easyapache4-v25-24-security-release/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Server-Side Request Forgery (SSRF)
EUVDB-ID: #VU112733
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-43204
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input in mod_proxy . A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Note, the vulnerability exploitation requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request.
MitigationInstall update from vendor's website.
Vulnerable software versionsEasyApache: 4 25-1 - 4 25-23
CPE2.3- cpe:2.3:a:cpanel:easyapache:4:25-1:*:*:*:*:*:*
- cpe:2.3:a:cpanel:easyapache:4:25-2:*:*:*:*:*:*
- cpe:2.3:a:cpanel:easyapache:4:25-3:*:*:*:*:*:*
https://news.cpanel.com/easyapache4-v25-24-security-release/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) HTTP response splitting
EUVDB-ID: #VU112734
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-42516
CWE-ID:
CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform HTTP splitting attacks.
The vulnerability exists due to software does not correctly process CRLF character sequences. A remote attacker with ability to manipulate the Content-Type response headers of applications hosted or proxied by the server can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response.
Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.
Note, this vulnerability exists due a missing fix for #VU88151 (CVE-2023-38709).
MitigationInstall update from vendor's website.
Vulnerable software versionsEasyApache: 4 25-1 - 4 25-23
CPE2.3- cpe:2.3:a:cpanel:easyapache:4:25-1:*:*:*:*:*:*
- cpe:2.3:a:cpanel:easyapache:4:25-2:*:*:*:*:*:*
- cpe:2.3:a:cpanel:easyapache:4:25-3:*:*:*:*:*:*
https://news.cpanel.com/easyapache4-v25-24-security-release/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
