Skip to content
Tech News
← Back to articles

Hackers are still exploiting the cPanel bug to gain control of thousands of websites

2026-05-04 | original
read original get cPanel Security Patch → more articles
Why This Matters

The ongoing exploitation of the cPanel vulnerability highlights the persistent cybersecurity risks faced by website administrators and the importance of timely patching. For consumers and the tech industry, it underscores the need for vigilant security practices to prevent widespread server compromises and data breaches.

Key Takeaways

Nearly a week after the makers of the popular web server management software cPanel and WebHost Manager (WHM) alerted users of a critical flaw in its software, hackers are still targeting thousands of websites that use the vulnerable software.

As of Monday there are more than 550,000 potentially vulnerable servers running cPanel, a number that has remained stable for days. And there are now around 2,000 cPanel instances likely compromised, down from around 44,000 on Thursday. These statistics are published by Shadowserver, a nonprofit organization that scans and monitors the internet for cyberattacks.

On Thursday, security researchers alerted that hackers started compromising servers running cPanel and WHM, taking advantage of a bug that allowed the attackers to take full control of and hijack the vulnerable servers via their control panels.

As Bleeping Computer reported, the extent of the damage is visible by the fact that Google has indexed dozens of websites that at some point displayed a message from a group of hackers that claimed to have encrypted the victim’s files in an apparent ransomware attack. Some of those sites now load normally.

The ransom note included a chat ID for the victims to contact the hackers, who did not immediately respond to TechCrunch’s request for comment.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned on Thursday that the vulnerability — tracked as CVE-2026-41940 — was being exploited in the wild, and added it to its Known Exploited Vulnerabilities (KEV) catalog. CISA asked government agencies to patch by Sunday. CISA did not immediately respond to a request for comment, asking whether it could confirm that government agencies have patched their servers.

The attacks against web servers running cPanel and WHM have likely been ongoing since much earlier than the vulnerability was disclosed. According to KnownHost CEO Daniel Pearson, his company detected attacks as far back as February 23.

Techcrunch event Meet your next investor or portfolio startup at Disrupt

Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $410. Meet your next investor or portfolio startup at Disrupt

Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $410. San Francisco, CA | REGISTER NOW

... continue reading

Explore topics: cpanel webhost manager shadowserver cve-2026-41940 ransomware
Related:
Exploit Cyber-Frenzy Threatens Millions via Critical cPanel Vulnerability
Hackers are mass-exploiting the cPanel bug to gain control of thousands of websites
Ransomware Is Getting Uglier As Cybercriminals Fake Leaks and Skip Encryption Entirely
Critrical cPanel flaw mass-exploited in "Sorry" ransomware attacks
Hackers Are Actively Exploiting a Bug In cPanel, Used By Millions of Websites

© 2026 GoKawiil

About | Editorial Policy | Contact