Hackers are mass-exploiting the cPanel bug to gain control of thousands of websites

Source: TechCrunch

Scope of the Vulnerability

• As of Monday, there are more than 550,000 potentially vulnerable servers running cPanel, a number that has remained stable for days.
  (Shadowserver statistics)

• Approximately 2,000 cPanel instances are likely compromised, down from around 44,000 on Thursday.
  (Shadowserver honeypot data)

The vulnerability is tracked as CVE‑2026‑41940.

Exploitation Activity

On Thursday, security researchers reported that hackers began compromising servers running cPanel and WHM, exploiting a bug that allowed full control of the affected control panels.

• The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that the vulnerability was being exploited in the wild and added it to its Known Exploited Vulnerabilities (KEV) catalog.

  • CISA urged government agencies to apply the patch by Sunday.
  • Links:
    • CVE‑2026‑41940 details (cPanel support)
    • CISA KEV catalog entry

• An unnamed cPanel spokesperson acknowledged receipt of a comment request from TechCrunch but did not provide a response.

Impact and Ransomware

Bleeping Computer reported that the damage is visible through Google indexing dozens of sites that displayed a ransom note claiming the victims’ files had been encrypted. Some of those sites now load normally.

• The ransom note included a chat ID for victims to contact the attackers.
• The attackers did not immediately respond to TechCrunch’s request for comment.

Timeline of Detection

• According to KnownHost CEO Daniel Pearson, attacks were detected as early as February 23, suggesting the exploitation predates the public disclosure.
  • Source: Reddit comment by Daniel Pearson

References

• Shadowserver IoT device statistics
• Shadowserver honeypot data
• TechCrunch article on active exploitation
• Bleeping Computer report on ransomware attacks
• Google search showing indexed ransom notes
• CISA Known Exploited Vulnerabilities catalog