Hackers Are Mass-Exploiting the cPanel Bug to Gain Control of Thousands of Websites

A critical flaw in cPanel and WebHost Manager (WHM) is now being actively exploited by hackers, who have already compromised thousands of servers. The cPanel bug exploitation has escalated rapidly, with attackers gaining full control over vulnerable systems and deploying ransomware. This widespread attack underscores the urgency for administrators to patch immediately.

How the cPanel Bug Exploitation Works

The vulnerability, tracked as CVE-2026-41940, allows attackers to bypass authentication and hijack servers via the control panel. According to Shadowserver, a nonprofit that monitors cyber threats, around 550,000 servers remain potentially vulnerable as of Monday. Although the number of compromised instances has dropped from 44,000 to roughly 2,000, this decline may reflect victims taking systems offline or patching.

Security researchers first flagged active attacks on Thursday, noting that hackers were exploiting the bug to take full control of servers. Bleeping Computer reported that Google indexed dozens of websites displaying ransom notes from a group claiming to have encrypted files. Some of those sites have since been restored, but the damage highlights the scale of the cPanel bug exploitation.

Ransomware and Response to the cPanel Vulnerability

The ransom notes included a chat ID for victims to contact the attackers. TechCrunch reached out to the hackers but received no immediate response. Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog on Thursday, urging federal agencies to patch by Sunday. CISA has not confirmed whether all agencies complied.

Attacks may have begun long before the disclosure. KnownHost CEO Daniel Pearson revealed that his company detected exploitation attempts as early as February 23. This timeline suggests that threat actors were probing for weaknesses weeks before the official advisory. A cPanel spokesperson acknowledged receipt of inquiries but did not provide further comment.

What Administrators Should Do About the cPanel Bug

To mitigate the cPanel bug exploitation, administrators must apply the latest patch immediately. The vulnerability affects all versions prior to the security update. Additionally, consider implementing multi-factor authentication and restricting access to the control panel via IP whitelisting. Monitor server logs for unusual activity, such as unauthorized login attempts or file encryption processes.

For those using cPanel, it is crucial to verify that your hosting provider has applied the fix. If you manage your own server, update through the WHM interface or command line. Ignoring this patch could lead to data loss, ransomware demands, or complete server takeover. For more on securing web servers, check out our guide on web server security best practices.

Broader Implications of the cPanel Vulnerability

This incident highlights the ongoing risk of unpatched software in the hosting ecosystem. The cPanel bug exploitation is part of a larger trend where attackers target widely used management tools. As Shadowserver data shows, the number of vulnerable servers remains high, leaving many sites exposed. Businesses should conduct regular vulnerability assessments and maintain an incident response plan.

Furthermore, the involvement of ransomware groups adds financial pressure on victims. Paying ransoms is not recommended, as it funds criminal activity and does not guarantee data recovery. Instead, focus on backups and disaster recovery strategies. For additional insights, read our article on ransomware prevention strategies.

In conclusion, the cPanel bug exploitation is a critical threat that demands immediate action. By patching promptly and adopting robust security measures, administrators can protect their websites from compromise. Stay informed about emerging vulnerabilities through reliable sources like CISA and Shadowserver.