Security Update: Transparency Regarding a Recent Support Ticket Incident
This notice provides the final technical details regarding an unauthorized access to our support ticket system, crucially, the factors contributing to the subsequent compromise of certain customer servers.
== The Source of the Exposure ==
A targeted session hijacking attack allowed an unauthorized party to access our support system. This was a sohphisticated targetted attack as we have 2FA for our ticket system, MFA enforced on our email accounts and SMS based 2FA for our VPN / Tunnels. The attackers targeted plain-text root credentials that had been sent via email in tickets, rather than through our secure, encrypted submission forms. Approximately 1,500 old Virtualizor support tickets were opened on 1st January 2026. Some even older than a year. Not every ticket had passwords in them, but we are informing all these tickets. Also there is no known vulnerability in the Virtualizor software itself or or its billing modules .
== Why Certain Servers Were Impacted ==
Our forensic analysis of the impacted servers has identified two critical security lapses that allowed the stolen credentials to be used successfully:
Failure to Rotate Credentials: The servers that were compromised in this event were found to be using passwords that were, in some cases, over a year old and had not been changed i.e. these passwords were not rotated once the ticket was resolved and also a considerable time had passed.
Lack of Network Perimeter Security: Impacted nodes did not have a restricted firewall (IP Whitelisting) in place for the Virtualizor Admin Panel and SSH. This allowed the attackers to attempt logins from unauthorized external IP addresses.
== Immediate Mandatory Hardening ==
To prevent any further unauthorized access, we request these ticket Administrator(s) the following:
Rotate Passwords Immediately: If your root password is not rotated, and we have also emailed you about your ticket being accessed by an unauthorized agent, please change your root password.
Restrict Access: Implement firewall rules to allow access to the Virtualizor Admin Panel and SSH only from your known, trusted IP addresses.
Move to our new Support Access system: It uses SSH keys instead of passwords and the user created is also a temporary user which is deleted automatically after 7 days by default. This user account is also restricted to be accessed via specific tunnel IPs.
== Our Closing Actions ==
We have now redacted all ticket data containing sensitive credentials to ensure no further "historical" risk remains. We will also no longer take root details. Furthermore, our move to UEM-managed hardware and 3FA / MFA at multiple levels of access ensures our internal environment is resilient against the session-hijacking methods used in this attack.
If you need any assistance, we are here to help.
Sincerely,
Virtualizor Team