it

Hackers are still exploiting the cPanel bug to gain control of thousands of websites

Published: (May 4, 2026 at 02:02 PM EDT)
2 min read
Source: TechCrunch

Source: TechCrunch

Nearly a week after the makers of the popular web‑server management software cPanel and WebHost Manager (WHM) alerted users of a critical flaw, hackers are still targeting thousands of websites that run the vulnerable software.

On Thursday, security researchers reported that attackers were compromising servers running cPanel and WHM, taking full control of the control panels and hijacking the servers.

The ransom note left on compromised sites included a chat ID for victims to contact the hackers; the attackers did not respond to TechCrunch’s request for comment.

Statistics

  • Potentially vulnerable servers: More than 550,000 cPanel servers are still exposed, according to Shadowserver’s monitoring dashboard.

  • Likely compromised instances: Around 2,000 cPanel installations appear to have been compromised, down from roughly 44,000 on Thursday.

These figures have remained relatively stable over the past few days.

Exploitation Details

The vulnerability allowed attackers to gain full control of the affected servers via their control panels. As reported by Bleeping Computer, the impact is evident from Google indexing dozens of sites that displayed a ransomware message left by the hackers. Some of those sites now load normally.

  • Example of Google‑indexed pages showing the ransom note:

Response from Authorities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned on Thursday that the vulnerability—tracked as CVE‑2026‑41940—was being exploited in the wild. CISA added the issue to its Known Exploited Vulnerabilities (KEV) catalog and urged government agencies to apply patches by Sunday.

  • CISA KEV entry:

CISA did not immediately comment on whether government agencies have patched their servers.

Historical Context

The attacks against cPanel/WHM servers likely began well before the public disclosure of the vulnerability. According to KnownHost CEO Daniel Pearson, his company detected related attacks as early as February 23.

  • Source: Reddit comment by Daniel Pearson

Company Response

Executives at Webpros, the company behind cPanel and WHM (which powers roughly 60 million domains), did not respond to requests for comment.

0 views
#cPanel #web hosting #security vulnerability #cyberattack #exploit #Shadowserver #WHM #website compromise
View source
Share:
Back to Blog

Related posts

Read more »