Hackers are actively exploiting a bug in cPanel, used by millions of websites

Security experts are raising urgent concerns over a recently identified flaw in cPanel and WebHost Manager (WHM), two essential software suites utilized by millions of websites globally. This vulnerability enables cybercriminals to seize complete control of servers operating the affected versions, putting countless website owners at risk. While many web hosting providers have already implemented patches to protect their customers, the creators of cPanel are urging all users to verify that their systems are updated, as the bug impacts all supported software versions. cPanel and WHM are vital for managing web servers, overseeing email services, and ensuring the proper functioning of websites and databases. The flaw, identified as CVE-2026-41940, allows attackers to bypass the login interface remotely, granting them unrestricted access to the administration panel. Given the widespread adoption of cPanel and WHM in the web hosting sector, the potential for large-scale exploitation of unpatched websites is significant. Canada's national cybersecurity agency has issued a warning stating that the vulnerability could be leveraged to compromise sites hosted on shared servers, commonly used by major web hosting services. The agency emphasized that the likelihood of exploitation is high, necessitating immediate action from both cPanel users and their hosting providers to shield against unauthorized access. In response to the discovered flaw, leading web hosting provider Namecheap has proactively restricted customer access to their cPanel interfaces to prevent potential exploitation while they work on implementing necessary patches. Similarly, Hostgator has acknowledged the critical nature of the bug and has completed its patching efforts. Notably, some web hosting firms have reported that attempts to exploit this vulnerability have been occurring for an extended period. Daniel Pearson, CEO of KnownHost, revealed on Reddit that his organization detected exploitation attempts dating back to February 23. Although the company temporarily restricted access to customer systems while applying fixes, Pearson noted that they have not observed any confirmed breaches, with around 30 servers showing signs of attempted unauthorized access amidst thousands on their network. Additionally, cPanel has released a security update for WP Squared, another tool for managing WordPress sites.