Hackers are rapidly exploiting a critical cPanel vulnerability in popular web hosting control panels. The flaw allows unauthenticated attackers to gain full root access to servers running cPanel and WHM.

Security researchers report tens of thousands of compromised installations since the cPanel vulnerability was disclosed on 28 April 2026. The software powers an estimated 70 million websites globally, making the risk widespread for shared hosting environments.

Mass Exploitation of the cPanel Vulnerability

The cPanel vulnerability, tracked as CVE-2026-41940, carries a CVSS score of 9.8. It stems from an authentication bypass in the login flow that lets remote attackers manipulate session files via CRLF injection.

Attackers inject crafted data to bypass normal checks and obtain administrative privileges without credentials. cPanel released patches for all supported versions on 28 April 2026, but exploitation began in the wild months earlier.

Rapid7 reported roughly 1.5 million vulnerable cPanel instances still exposed on the internet as of late April. The Shadowserver Foundation recorded scans and exploits against 44 000 cPanel installations on 30 April, with the highest numbers traced to US IP addresses followed by France, Germany and several other countries.

Sophisticated Campaigns Target Government Infrastructure

One advanced operation combined the cPanel vulnerability with custom exploits against an Indonesian defence-sector training portal. Attackers bypassed CAPTCHA, performed SQL injection and escalated to operating-system access before exfiltrating more than 4 GB of sensitive documents from the China Railway Society.

The campaign used layered persistence tools such as OpenVPN and Ligolo to maintain access. Researchers at Ctrl-Alt-Intel recovered the command-and-control infrastructure but stopped short of firm attribution.

This incident highlights how the cPanel vulnerability serves as an initial entry point for broader intelligence-gathering efforts.

Risks and Urgent Calls to Action

Once inside, attackers with root access can read customer files, install malware, steal credentials and pivot to connected networks. Some campaigns have deployed ransomware that encrypts data on compromised servers.

cPanel, developed by WebPros and used since 1997, warns that unsupported versions may also carry the flaw. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-41940 to its Known Exploited Vulnerabilities catalogue on 30 April and set a remediation deadline of 3 May for federal agencies.

Organisations running on-premise cPanel or WHM should upgrade immediately. Many hosting providers have temporarily blocked ports 2083 and 2087 as a stopgap, but experts strongly recommend full patching and log audits for signs of compromise.