Hackers Actively Exploit Critical cPanel Vulnerability: Millions of Websites at Risk

A severe security flaw in cPanel and WebHost Manager (WHM) is now under active exploitation by malicious hackers. This cPanel bug exploit allows attackers to bypass login screens and seize full control over web servers. Security researchers warn that tens of millions of websites worldwide could be affected, especially those on shared hosting platforms.

Canada’s national cybersecurity agency has issued an urgent advisory, stating that exploitation is “highly probable.” The vulnerability, tracked as CVE-2026-41940, gives hackers remote, unrestricted access to the administration panel of the software. This means they can manipulate databases, emails, and configurations of any domain hosted on the server.

How the cPanel Vulnerability Works

The cPanel bug exploit specifically targets the authentication mechanism of cPanel and WHM. By sending specially crafted requests, an attacker can bypass the login screen entirely. Once inside, they gain the same high-level privileges as a legitimate administrator.

This is particularly dangerous because cPanel and WHM have deep access to server resources. They manage everything from email accounts to DNS settings and database servers. Consequently, a successful hack can lead to data theft, defacement, or even using the server for further attacks.

cPanel’s maker has urged all customers to apply patches immediately. The bug affects all supported versions of the software, meaning no version is safe without the update.

Web Hosting Companies Respond

Major hosting providers have moved quickly to protect their users. Namecheap, one of the largest domain registrars and hosting companies, temporarily blocked access to customer cPanel panels after learning of the flaw. This gave the company time to patch systems before attackers could exploit the vulnerability.

Similarly, HostGator confirmed it patched its infrastructure and described the bug as a “critical authentication-bypass exploit.” Both companies have advised customers to ensure their own servers are updated if they manage them directly.

KnownHost Reports Early Exploitation Attempts

One hosting provider, KnownHost, found evidence that hackers had been probing the vulnerability for weeks before the public disclosure. CEO Daniel Pearson stated on Reddit that attempts to exploit the bug date back to February 23. The company blocked access to affected systems and applied patches.

Pearson noted that around 30 servers showed signs of unauthorized access attempts out of thousands on the network. However, he emphasized that these were attempts, not full compromises. This indicates that while the cPanel bug exploit is dangerous, swift action can prevent damage.

What You Should Do Now

If you use cPanel or WHM to manage your website, immediate action is critical. First, check with your web hosting provider to confirm they have applied the latest security patches. Many commercial hosts have already done this, but it’s worth verifying.

For those who self-host, update cPanel and WHM to the latest version immediately. The patch addresses CVE-2026-41940 and other related security issues. Additionally, consider enabling two-factor authentication (2FA) for an extra layer of security.

It’s also wise to review server logs for any suspicious activity, especially from February 23 onward. Look for unexpected login attempts or changes to administrative accounts. If you find anything unusual, contact your hosting provider or a security professional.

For more on securing your web server, check out our guide on hardening your cPanel server. You might also find useful information about common web hosting vulnerabilities to stay ahead of threats.

The Bigger Picture: Shared Hosting Risks

This incident highlights a persistent risk in shared hosting environments. When a vulnerability like this cPanel bug exploit is discovered, it can affect thousands of websites on the same server. Hackers can potentially move laterally between accounts, compromising multiple domains at once.

Therefore, website owners should consider isolating their sites with virtual private servers (VPS) or dedicated hosting if security is a top priority. For now, patching remains the most effective defense.

Stay vigilant. The cybersecurity landscape changes rapidly, and proactive measures are your best bet against exploitation.