Hackers Exploit cPanel Vulnerability: Thousands of Websites at Risk

TL;DR

• Hackers are actively exploiting CVE-2026-41940, a critical authentication bypass in cPanel and WHM, allowing unauthenticated access to server admin panels and potentially compromising millions of websites.
• The flaw, added to CISA's Known Exploited Vulnerabilities catalog, has been abused since at least February 2026, with patches released on April 28 but exploitation ongoing.
• Hosting providers like Namecheap and HostGator have blocked access and applied fixes; website owners should urgently update and monitor for signs of compromise.

The Vulnerability Under the Hood

A critical security flaw in cPanel and WebHost Manager (WHM), tracked as CVE-2026-41940, is making headlines for its devastating potential. This authentication bypass vulnerability, scored a near-perfect 9.8 on the CVSS scale, lets attackers skip login screens entirely and seize full administrative control over affected servers. Security researchers at watchTowr Labs revealed that the exploit hinges on a clever CRLF (Carriage Return Line Feed) injection into the cPanel Logbook, forging a valid session without credentials. Once inside, attackers gain root-level privileges, opening the door to data theft, malware deployment, or total server wipeouts.

All supported cPanel/WHM versions after 11.40 are vulnerable, including DNSOnly and WP Squared—a WordPress management tool. With cPanel powering tens of millions of websites worldwide, from small blogs to banks and healthcare sites, the blast radius is enormous. Shodan scans have pinpointed around 1.5 to 2 million internet-exposed instances, many still unpatched.

Real-World Exploitation: Attacks Already in Motion

This isn't a theoretical threat—hackers have been probing and exploiting it for months. Hosting provider KnownHost reported failed login attempts dating back to February 23, 2026, across about 30 of their servers. By late April, when patches dropped on April 28, exploitation was rampant enough for the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to their Known Exploited Vulnerabilities catalog, signaling confirmed real-world attacks.

Early victim reports paint a grim picture. A small business owner on Reddit described a ransomware hit demanding $7,000 after attackers breached their standard cPanel setup. Canada's national cybersecurity agency warned of "highly probable" exploitation on shared hosting servers, urging immediate action. While exact victim counts remain unclear, the speed of attacks underscores the urgency: threat actors aren't waiting for patches.

Hosting Giants Scramble to Contain the Damage

Major providers moved fast to stem the bleeding. Namecheap temporarily locked customers out of cPanel interfaces to buy time for patching, while HostGator labeled it a "critical authentication-bypass exploit" and rolled out fixes. KnownHost and others like HostPapa and InMotion followed suit, firewalled their own systems to prevent mass takeovers. cPanel itself pushed urgent updates:

• cPanel & WHM 110.0.x: Patched in 11.110.0.97
• cPanel & WHM 118.0.x: Patched in 11.118.0.63

These measures highlight the panic: within hours of public disclosure, "nearly every major hosting provider on the planet" pulled the emergency brake, as watchTowr's CEO Benjamin Harris put it.

Implications for Web Security

The fallout from CVE-2026-41940 is a stark reminder of the fragility in web infrastructure. cPanel's ubiquity—used by over a million sites, including critical sectors—means a single flaw can cascade into thousands of breaches. Attackers could siphon sensitive data, inject malware, or ransom entire hosting environments. Shared servers amplify the risk, where one compromised site endangers all neighbors.

This incident exposes broader issues: delayed zero-day detection, patch fatigue among admins, and the dangers of internet-exposed management panels. As Rapid7 and Eye Security note, millions of instances linger online, tempting opportunistic hackers.

How Website Owners Can Protect Themselves

Don't wait for your host—take action now:

• Update Immediately: Ensure cPanel/WHM is on the latest patched versions (11.110.0.97+ or 11.118.0.63+). Enable auto-updates if available.
• Restrict Access: Firewall cPanel/WHM ports (2082/2083, 2086/2087) to trusted IPs only. Avoid public exposure.
• Monitor Logs: Scan for suspicious Logbook entries or unauthorized sessions. Tools like fail2ban can block brute-force attempts.
• Backup and Scan: Maintain offsite backups and run full malware scans. Check for ransomware notes or unexpected files.
• Layer Defenses: Use web application firewalls (WAFs), two-factor authentication (2FA) where possible, and consider migrating to managed hosting with proactive security.

Hosting providers: Prioritize patches across all customer servers and communicate transparently. For the latest, follow CISA advisories and cPanel's security announcements. Staying vigilant could save your site from the next big breach.

AndroGuider Team

Articles written by the AndroGuider team. We try to make them thorough and informational while being easy to read.