Hackers are actively exploiting a bug in cPanel and WHM
Source: Hacker News
Overview
Security researchers are sounding the alarm on a newly discovered vulnerability in the widely used web server management software cPanel and WebHost Manager (WHM). The bug allows hackers to hijack and take full control of servers running the affected software, which is thought to be used by tens of millions of website owners worldwide.
Impact
The vulnerability affects all supported versions of the software. It allows malicious actors to remotely bypass the login screen and gain full access to the administration panel, giving them unrestricted access to data managed by cPanel/WHM.
Given the ubiquity of cPanel and WHM across the web‑hosting industry, unpatched installations could lead to large numbers of compromised websites, especially on shared‑hosting servers.
Advisory
Canada’s national cybersecurity agency issued an advisory warning that exploitation is “highly probable” and that immediate action from cPanel customers—or their web hosts—is necessary to prevent malicious access.
- Advisory link: https://www.cyber.gc.ca/en/alerts-advisories/al26-008-vulnerability-affecting-cpanel-webhost-manager-whm-cve-2026-41940
The bug is officially tracked as CVE‑2026‑41940: https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026
Responses from Hosting Companies
Namecheap blocked access to customers’ cPanel panels after learning of the flaw to prevent exploitation and to give time to patch systems: https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026/
HostGator patched its systems and labeled the bug a “critical authentication‑bypass exploit”: https://www.hostgator.com/help/article/centos6-cpanel-vulnerability
Evidence of Exploitation
KnownHost reported that hackers had been abusing the vulnerability for months before it was publicly disclosed.
CEO Daniel Pearson noted attempts as far back as February 23: https://www.reddit.com/r/cpanel/comments/1syyajp/comment/oiz12pp/?utm_source=BC
KnownHost observed around 30 servers showing signs of unauthorized attempted access out of thousands on its network, though no active compromises were confirmed: https://www.knownhost.com/forums/threads/cpanel-zero-day-exploit-network-wide-protections-in-place-for-cpanel-and-whm-logins-ports.6599/
cPanel also rolled out a security fix for WP Squared, a tool for managing WordPress sites: https://docs.wpsquared.com/changelogs/versions/changelog/#cpanel-related-changes