Hackers Actively Exploit Critical cPanel Vulnerability: Millions of Websites at Risk

A severe security flaw in cPanel and WebHost Manager (WHM) is now under active exploitation by malicious hackers. This cPanel bug exploit allows attackers to bypass login screens and seize full control over web servers. Security researchers warn that tens of millions of websites worldwide could be affected, especially those on shared hosting platforms.

Canada’s national cybersecurity agency has issued an urgent advisory, stating that exploitation is “highly probable.” The vulnerability, tracked as CVE-2026-41940, gives hackers remote, unrestricted access to the administration panel of the software. This means they can manipulate databases, emails, and configurations of any domain hosted on the server.

How the cPanel Vulnerability Works

The cPanel bug exploit specifically targets the authentication mechanism of cPanel and WHM. By sending specially crafted requests, an attacker can bypass the login screen entirely. Once inside, they gain the same high-level privileges as a legitimate administrator.

This is particularly dangerous because cPanel and WHM have deep access to server resources. They manage everything from email accounts to DNS settings and database servers. Consequently, a successful hack can lead to data theft, defacement, or even using the server for further attacks.

cPanel’s maker has urged all customers to apply patches immediately. The bug affects all supported versions of the software, meaning no version is safe without the update.

Web Hosting Companies Respond

Major hosting providers have moved quickly to protect their users. Namecheap, one of the largest domain registrars and hosting companies, temporarily blocked access to customer cPanel panels after learning of the flaw. This gave the company time to patch systems before attackers could exploit the vulnerability.

Similarly, HostGator confirmed it patched its infrastructure and described the bug as a “critical authentication-bypass exploit.” Both companies have advised customers to ensure their own servers are updated if they manage them directly.

KnownHost Reports Early Exploitation Attempts

One hosting provider, KnownHost, found evidence that hackers had been probing the vulnerability for weeks before the public disclosure. CEO Daniel Pearson stated on Reddit that attempts to exploit the bug date back to February 23. The company blocked access to affected systems and applied patches.

Pearson noted that around 30 servers showed signs of unauthorized access attempts out of thousands on the network. However, he emphasized that these were attempts, not full compromises. This indicates that while the cPanel bug exploit is dangerous, swift action can prevent damage.

What You Should Do Now

If you use cPanel or WHM to manage your website, immediate action is critical. First, check with your web hosting provider to confirm they have applied the latest security patches. Many commercial hosts have already done this, but it’s worth verifying.

For those who self-host, update cPanel and WHM to the latest version immediately. The patch addresses CVE-2026-41940 and other related security issues. Additionally, consider enabling two-factor authentication (2FA) for an extra layer of security.

It’s also wise to review server logs for any suspicious activity, especially from February 23 onward. Look for unexpected login attempts or changes to administrative accounts. If you find anything unusual, contact your hosting provider or a security professional.

For more on securing your web server, check out our guide on hardening your cPanel server. You might also find useful information about common web hosting vulnerabilities to stay ahead of threats.

The Bigger Picture: Shared Hosting Risks

This incident highlights a persistent risk in shared hosting environments. When a vulnerability like this cPanel bug exploit is discovered, it can affect thousands of websites on the same server. Hackers can potentially move laterally between accounts, compromising multiple domains at once.

Therefore, website owners should consider isolating their sites with virtual private servers (VPS) or dedicated hosting if security is a top priority. For now, patching remains the most effective defense.

Stay vigilant. The cybersecurity landscape changes rapidly, and proactive measures are your best bet against exploitation.

Ubuntu Services Hit by Outages After DDoS Attack: What You Need to Know

A sustained Ubuntu DDoS attack has taken down critical public-facing infrastructure for the popular Linux distribution and its parent company, Canonical. The assault began on Thursday, leaving users unable to access key services, including security updates and package installations.

Canonical confirmed the incident on its website, stating: “Canonical’s web infrastructure is under a sustained, cross-border attack and we are working to address it. We will provide more information in our official channels as soon as we are able to.” The company’s spokesperson, Lelanie de Roubaix, reiterated this statement when contacted by TechCrunch.

What Is the Impact of the Ubuntu DDoS Attack?

The distributed denial-of-service (DDoS) attack floods Canonical’s servers with junk traffic, overwhelming them and causing outages. This crude but effective tactic has disrupted multiple services that Ubuntu users rely on daily.

According to discussions on an unofficial Ubuntu community forum, the attack affects Ubuntu’s security API and several websites belonging to both Ubuntu and Canonical. A threat intelligence forum post noted that the Ubuntu DDoS attack has made it impossible for users to update or install the operating system. TechCrunch verified this on a test device running Ubuntu, where updates failed to install. As of this writing, the outage has lasted approximately 20 hours and continues.

Who Is Behind the DDoS Attack on Ubuntu?

A hacktivist group calling itself The Islamic Cyber Resistance in Iraq 313 Team claimed responsibility via its Telegram channel. The group stated it used a DDoS-for-hire service called Beamed, which reportedly can launch attacks exceeding 3.5 Tbps—roughly half the bandwidth of what Cloudflare described as the largest DDoS attack ever recorded in 2024.

These booter or stresser services allow anyone to pay for DDoS attacks without technical expertise. Law enforcement agencies like the FBI and Europol have long struggled to shut them down, often playing a game of whack-a-mole against these platforms.

How Does This Affect Ubuntu Users?

For everyday Ubuntu users, the Ubuntu DDoS attack means disrupted access to essential services. Security updates are blocked, leaving systems potentially vulnerable. Package installations via standard repositories also fail, which can halt productivity for developers and IT administrators.

This incident highlights the fragility of open-source infrastructure under cyberattack. Canonical has not yet provided a timeline for full recovery, but the company is actively working on mitigation. Users should monitor Canonical’s official channels for updates and consider alternative methods for critical updates, such as manual downloads from mirrors if available.

For more on securing your systems, check out our guide on cybersecurity tips for Linux users and learn about how to protect against DDoS attacks.

What Can Users Do During the Outage?

While Canonical resolves the issue, users can take several steps. First, avoid relying on Ubuntu’s default update servers until services are restored. Second, consider using community-maintained mirrors or local repositories for non-critical software. Third, stay informed through official Canonical communication channels.

This event serves as a reminder that even major distributions like Ubuntu are not immune to cyber threats. The Ubuntu DDoS attack underscores the importance of robust backup and recovery plans for all IT environments.

For further reading, explore our article on open-source security challenges to understand broader risks in the ecosystem.

Systemic Flaw in MCP Protocol Could Expose 150 Million Downloads: What You Need to Know

A critical, systemic vulnerability in the model context protocol (MCP) has been uncovered by security researchers, potentially affecting millions of downloads and thousands of AI servers. This MCP protocol flaw could allow attackers to execute arbitrary commands on vulnerable systems, compromising sensitive data and disrupting the AI supply chain.

Understanding the MCP Protocol Flaw

The model context protocol, developed by Anthropic, is a popular open-source standard that enables AI models to connect with external data and systems. However, researchers at Ox Security discovered a fundamental design issue that goes beyond a typical coding error.

According to their report published on April 15, the flaw is embedded in the protocol’s architecture, affecting every official MCP SDK across multiple programming languages, including Python, TypeScript, Java, and Rust. This means that any developer building on Anthropic’s MCP foundation unknowingly inherits this exposure.

Scope of the Exposure

The potential impact is staggering. Ox Security estimates that over 200 open-source projects, 150 million downloads, 7,000 publicly accessible servers, and up to 200,000 vulnerable instances could be at risk. This model context protocol vulnerability could lead to complete system takeover, giving attackers access to user data, internal databases, API keys, and chat histories.

How the Exploit Works

The exploit mechanism is surprisingly straightforward. The MCP’s STDIO interface was designed to launch a local server process, but the command executes regardless of whether the process starts successfully. As Ox Security explained, “Pass in a malicious command, receive an error – and the command still runs. No sanitization warnings. No red flags in the developer toolchain. Nothing.”

This means attackers can inject malicious commands without triggering any alerts, making the arbitrary command execution almost undetectable during normal development workflows.

Responsibility and Response

Ox Security has repeatedly attempted to persuade Anthropic to patch the vulnerability. However, the AI giant maintains that this is “expected behavior” and declined to modify the protocol. Anthropic stated that the STDIO execution model represents a secure default and that sanitization is the developer’s responsibility.

This stance has drawn criticism from security experts. Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University, called the research “a shocking gap in the security of foundational AI infrastructure.” He added, “We are trusting these systems with increasingly sensitive data and real-world actions. If the very protocol meant to connect AI agents is this fragile and its creators will not fix it, then every company and developer building on top of it needs to treat this as an immediate wake-up call.”

In response, Ox Security has issued over 30 responsible disclosures and discovered more than 10 high or critical-severity CVEs to help patch individual open-source projects.

Protecting Your AI Supply Chain

For organizations using MCP-based systems, immediate action is necessary. Start by reviewing your AI security best practices to identify potential vulnerabilities. Consider implementing additional sanitization layers and monitoring tools to detect unusual command executions. Additionally, stay informed about open-source vulnerability management to track patches and updates.

Building on this, developers should treat every MCP integration as a potential risk. Conduct thorough security audits and consider alternative protocols or custom implementations where possible. The supply chain security checklist can help you assess your current posture.

What This Means for the Future

This MCP protocol flaw highlights a broader issue in the AI industry: the tension between rapid innovation and security. As AI systems become more integrated into critical infrastructure, the need for secure protocols becomes paramount. The debate over responsibility—whether it falls on protocol creators or developers—will likely continue, but the immediate priority is protecting existing systems from exploitation.

In conclusion, while Anthropic’s position may be technically defensible, the practical implications are significant. Organizations must take proactive steps to mitigate risks, including updating dependencies, monitoring for suspicious activity, and engaging with the security community to stay ahead of emerging threats.