+91 80401 38000[email protected]24/7 Expert Support
[email protected]Client Portal →
ServerGurus
← All posts
SecuritycPanelHosting

cPanel File Manager Can Access Symlinks That SSH Cannot

By ServerGurus10 July 20263 min read
cPanel File Manager Can Access Symlinks That SSH Cannot

cPanel confirmed something on July 9 that every shared hosting provider should know about: symlinks that are blocked via SSH can still be accessed through File Manager.

If you run cPanel servers with multiple tenants, this matters. Here is why, what cPanel is doing about it, and what you should do in the meantime.

What cPanel Acknowledged

The official support article is straightforward. A cPanel user logs into File Manager and can follow symlinks to files that the same user cannot reach through SSH. The SSH restriction comes from CageFS, open_basedir, or standard filesystem permissions. File Manager runs as the cPanel user but bypasses those SSH-level restrictions.

cPanel opened internal case CPANEL-47200 to track this. No patch has shipped yet.

Why This Matters for Shared Hosting

On a typical shared hosting server with 200 or 300 accounts, CageFS is supposed to be the wall between tenants. Each user is jailed to their home directory. Symlinks pointing outside that jail should be dead ends for that user.

File Manager circumvents that wall. A symlink that SSH refuses to follow, File Manager happily traverses. This means a compromised WordPress account could theoretically create a symlink to /etc/passwd, /home/otheruser/wp-config.php, or any world-readable file, and the attacker can read it through File Manager without ever touching SSH.

The attack does not require root. Just a cPanel account and File Manager access. That is every shared hosting customer.

The LiteSpeed Angle

This is not happening in isolation. In May 2026, researchers documented an actively exploited LiteSpeed cPanel plugin vulnerability that also involves symlink mishandling. The LiteSpeed plugin processes symlinks differently from what CageFS and Apache expect, allowing authenticated users with FTP or web shell access to read files outside their jail.

If you run LiteSpeed on cPanel, you have two overlapping symlink bypass vectors right now. Neither has a full vendor fix.

How ServerGurus Handles Multi-Tenant Isolation

Our shared and reseller hosting runs CloudLinux with CageFS, but we do not stop at the defaults. Every server gets additional hardening:

  • Custom kernel-level symlink protection via fs.protected_symlinks and fs.protected_hardlinks
  • Restricted File Manager access for reseller accounts
  • Proactive monitoring for symlink creation patterns across user directories
  • Weekly security audits that specifically check for cross-account file access

If a cPanel-level vulnerability like CPANEL-47200 ships without a fix, our team applies compensating controls at the filesystem and kernel level before the patch arrives. That is the difference between managed hosting and renting a server.

What You Can Do Right Now

If you manage your own cPanel servers, here is what helps today:

Enable kernel symlink protection. These sysctl settings restrict symlink following in ways that apply to all processes, including File Manager:

sysctl -w fs.protected_symlinks=1
sysctl -w fs.protected_hardlinks=1

Audit existing symlinks. Find symlinks pointing outside user home directories:

find /home -type l -lname '/etc/*' -o -lname '/home/*' | while read link; do
  target=$(readlink -f "$link")
  owner=$(stat -c '%U' "$link")
  echo "$owner: $link -> $target"
done

Restrict File Manager. If your customers do not need File Manager, disable it in Feature Lists (WHM > Feature Manager). For customers who need it, restrict it to specific packages.

Monitor cPanel updates. Bookmark the cPanel support article and check for updates on CPANEL-47200. When a fix ships, apply it immediately.

The Bottom Line

cPanel File Manager bypasses SSH restrictions on symlinks. cPanel knows about it. There is no fix yet. If you run shared hosting, apply the kernel-level protections above and audit your symlinks today.

If you would rather not chase cPanel security advisories at 11 PM, our managed hosting handles this kind of hardening automatically. See managed cPanel hosting plans or talk to us.

Ready to build your infrastructure?

Get a quote from our Hyderabad-based team - Tier IV datacenter, real support, INR or USD billing.

View pricingRequest a quoteWhatsApp sales