Hackers still exploiting cPanel bug affecting thousands of sites
Original: Hackers are still exploiting the cPanel bug to gain control of thousands of websites
Why This Matters
Critical web infrastructure vulnerability affects hundreds of thousands of servers globally
Nearly a week after cPanel disclosed a critical vulnerability, hackers continue exploiting CVE-2026-41940 to compromise web servers. Around 2,000 cPanel instances remain compromised down from 44,000 on Thursday, with 550,000 servers potentially vulnerable according to Shadowserver monitoring data.
Security researchers report ongoing attacks against servers running cPanel and WebHost Manager (WHM) software, exploiting a critical vulnerability that allows full server control via control panels. The U.S. CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog Thursday, requiring government agencies to patch by Sunday. Google has indexed dozens of websites displaying ransomware messages from attackers claiming to have encrypted victim files. KnownHost CEO Daniel Pearson reported detecting attacks as early as February 23, suggesting exploitation began well before public disclosure. Shadowserver data shows compromised instances dropped from 44,000 Thursday to around 2,000 Monday, though over 550,000 servers remain potentially vulnerable.