Massive cPanel Bug Exploited by Hackers to Hijack Thousands of Sites
▼ Summary
– Over 550,000 servers remain potentially vulnerable to a critical cPanel flaw, with around 2,000 instances likely compromised as of Monday.
– Hackers are mass-compromising servers by exploiting a bug that allows full control and hijacking via the control panels.
– Google has indexed dozens of websites that displayed ransom notes, indicating some victims were hit with apparent ransomware attacks.
– CISA added the vulnerability (CVE-2026-41940) to its Known Exploited Vulnerabilities catalog and urged government agencies to patch by Sunday.
– Attacks likely began as early as February 23, before the vulnerability was publicly disclosed, according to KnownHost’s CEO.
More than half a million websites are at risk after hackers began actively exploiting a critical vulnerability in cPanel and WebHost Manager (WHM). The mass compromise campaign, which gained momentum over the past week, has already affected thousands of servers.
According to data from Shadowserver, a nonprofit that tracks internet threats, roughly 550,000 servers running cPanel remain potentially vulnerable. While that number has held steady for days, the count of confirmed compromised instances has dropped sharply from about 44,000 on Thursday to around 2,000 as of Monday. This suggests that some victims may have patched or taken affected systems offline.
The attack exploits a bug tracked as CVE-2026-41940, which gives attackers full control over vulnerable servers through their web-based control panels. Security researchers first flagged active exploitation on Thursday. The U. S. Cybersecurity and Infrastructure Security Agency (CISA) quickly added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies apply patches by Sunday. CISA has not confirmed whether those agencies have complied.
Evidence of the damage is visible across the web. As Bleeping Computer reported, Google has indexed dozens of websites that briefly displayed a ransom note from hackers claiming to have encrypted files. Some of those sites now appear to function normally. The ransom note included a chat ID for victims, but the hackers did not respond to TechCrunch’s request for comment.
The attacks may have started long before the vulnerability was disclosed. Daniel Pearson, CEO of hosting provider KnownHost, told TechCrunch that his company detected exploitation attempts as early as February 23.
A spokesperson for cPanel acknowledged receipt of TechCrunch’s inquiry but did not provide a statement. The company had issued a warning about the flaw about a week ago, urging users to update their software immediately.
Organizations running cPanel or WHM should prioritize patching without delay. With thousands of servers already compromised and hundreds of thousands still exposed, the window for remediation is closing fast.
(Source: TechCrunch)
