We have recently scanned servers for potentially open NTP services on UDP port 123.

Time synchronization is important and should remain enabled. However, most VPS, web, and mail servers only need client-side time sync and do not individually need to provide public NTP services.

If you received an email with link to this notice, your server was highlighted in our check.

Where appropriate, we may update the time setup so that the server continues to keep accurate time without exposing unnecessary ports. This may involve replacing the legacy 'ntp' daemon with a client-only time sync service such as 'systemd-timesyncd' or 'chrony', or otherwise restricting inbound access to UDP/123.

No service impact is expected. At most, the local time synchronization service may be restarted briefly.

Mon, 25 May 2026 01:37 AM UTC: Further updated kernels are now available on our hosts. These have tested as safe to all versions of this vulnerability we are aware of. We recomend if possible all customers reboot into our latest default kernels as described below.

Mon, 18 May 2026 02:05 AM UTC: Our latest kernels are beleived to be secure from the original bug, There is ongoing work by developers to patch this class of issues so we dont see them any more.

Fri, 15 May 2026 00:38 AM UTC: Added namespace mitigation instructions below.

---

A serious Linux kernel vulnerability has been publicly disclosed:

https://github.com/v12-security/pocs/tree/main/fragnesia

This issue has been allocated CVE-2026-46300, also known as Fragnesia. This targets the same components as the recently disclosed Dirtyfrag, but is a different vulnerability.

• It does *not* affect our latest 4.14 kernels
• Affects all servers running recent Linux kernels
• including servers that have already been rebooted with a kernel patched for the Dirtfrag vulnerability.

In practical terms, if an actor can run code inside a vulnerable VPS, for example through a compromised website, shell account, or application, this bug may allow them to take full control of that VPS.

Mitigations

Where a server is using a modular kernel, you should also check with the distributor as soon as possible for updates and additional mitigation steps.

On RimuHosting VPSs, it is possible to substantially mitigate this attack by preventing user accounts from creating their own namespaces. Running the following command will block those until the next reboot.

sysctl -w user.max_user_namespaces=0

This may impact the normal operation of containers and services that depend on namespaces, including in some cases ipsec tunnels.

The exploit modifies the memory used by legitimate system binaries (the public PoC overwrites /usr/bin/su in the page cache as part of gaining root), so applying the mitigation alone is not enough on systems that may have been targeted before it was put place. A reboot is recomend in that case, followed by reapplying the mitigation (unless a patched kernel as details below is now running)

Fixed kernels

We have released patched kernels on all our hosts. A reboot will be required to use those. VPSs should be restarted from our control panel.

• Control panel restart: https://rimuhosting.com/cp/vps/restart.jsp
• Kernel selection page: https://rimuhosting.com/cp/vps/kernel.jsp

You can verify which kernel your VM is running using the command 'uname -r', it will look something like this...:

6.18.0-really33-rh-20260524215627.xenU.x86_64

Patched kernels will show a build date of 20260524 or newer. Those digits represent the build date: 2026 May 24th.

Ongoing work

We are continuing to review solutions for this vulnerability, and will be providing updates and further recomendations here. Please subscribe to this notice for updates.

In October 2025 Adobe published a bug report APSB25-94 for Magento.

We have been been made aware this bug has been used to actively exploit Magento based sites. It does not require any form of authentication. On vulnerable systems an agent can upload and use files with exploit payloads to gain remote code execution. A breakdown of the RCE can be found at https://sansec.io/research/magento-polyshell

Adobe has included a fix in their 2.4.9 beta branch, but as of 22 May 2026 has not released that to any stable branches.

We recomend keeping Magento instances (and any web application) up to date with the latest stable release.

Additional mitigations:

Ensure you have appropriate webserver protections against unintended access and operations for vulnerable parts of magento, especially the media and uploads folders, for example by disabling script exection on those.

Audit your pub/media/custom_options and subfolders for existing unverified scripts or images embedded with executable PHP tags

Consider using a plugin that helps protect your magento instance, for example this community provided option - https://github.com/aregowe/magento2-module-polyshell-protection

Exact solutions may be dependant on your specific setup, If you have questions, please reach out to our support team for assistance at https://rimuhosting.com/contact.jsp

Mon, 18 May 2026 01:52 AM UTC: Extended the mitigation option to describe yama.ptrace_scope.

---

A serious Linux kernel vulnerability has been publicly disclosed:

http://www.openwall.com/lists/oss-security/2026/05/15/9

This issue has been allocated CVE-2026-46333. It targets kernel setuid binaries via kernel ptrace system calls. It affects all servers running recent Linux kernels.

In practical terms, if an actor can run code inside a vulnerable VPS, for example through a compromised website, shell account, or application, this bug may allow them to have read access to files owned by the root user.

Mitigations

Where a server is using a modular kernel, you should also check with the distributor as soon as possible for updates and additional mitigation steps.

On RimuHosting VPSs, it is possible to block this attack by preventing user accounts from accessing ptrace functonality. Running the following command will block those until the next reboot. Its normal default value is 1.

sysctl -w kernel.user_ptrace=0

Another mitigation is below. Typical system default value is 0.

sysctl -w kernel.yama.ptrace_scope=3

Unlike user_ptrace this toogle has a graduated permission, from 0 to 3. With a setting of 3 this will block all tracing subsystems, including for root users, the level can not be changed again until the server is restarted. Please read kernel documentation for more information.

These temporary fixes may also limit normal access to setuid programs, uncluding sudo and su commands.

Fixed kernels

We have released patched kernels on all our hosts. A reboot will be required to use those. VPSs should be restarted from our control panel.

• Control panel restart: https://rimuhosting.com/cp/vps/restart.jsp
• Kernel selection page: https://rimuhosting.com/cp/vps/kernel.jsp

You can verify which kernel your VM is running using the command 'uname -r', it will look something like this...:

6.18.0-really31-rh-20260515150258.xenU.x86_64

Patched kernels will show a build date of 20260515 or newer. Those digits are the date: 2026 May 15th.

Ongoing work

We are continuing to review this vulnerability, and will be providing updates and further recomendations here. Please subscribe to this notice for updates.

A security issue has been identified in the cPanel software affecting all currently supported versions relating to various authentication paths.

Note this is an updated fix of a previouly notified vulnerability and applies to all CPanel users who have not run updates within the last 12 hours. This notice also covers all other recently reported vulnerabilities in CPanel/WHM

Please update as soon as possible. You can run the following commands to retrieve the patched version.

/scripts/upcp --force
/scripts/restartsrv_cpsrvd --hard

More detailed information is avilable on the below notice links

Should you need assistance with this, please pop in a support ticket.

References:
https://support.cpanel.net/hc/en-us/articles/40437020299927-Security-CVE-2026-29205-cPanel-WHM-WP2-Security-Update-May-13-2026

Please subscribe to this notice for updates. Should you need assistance, please pop in a support ticket.