Hackers are actively exploiting a bug in cPanel, used by millions of websites

Security researchers are sounding the alarm connected a recently discovered vulnerability successful the wide utilized web server absorption bundle cPanel and WebHost Manager (WHM). 

The bug allows hackers to hijack and instrumentality afloat power of the servers moving the affected software, which is thought to beryllium utilized by tens of millions of website owners astir the world.

Many commercialized web hosting companies person patched their customers’ systems already. But the cPanel shaper urged customers to guarantee that their systems are patched arsenic the bug affects all supported versions of the software.

cPanel and WHM are 2 bundle suites utilized for managing web servers that big websites, negociate emails, and grip important configurations and databases needed to support an net domain. The 2 suites person deep-access to the servers that they manage, allowing a malicious hacker perchance unrestricted entree to information managed by the affected software.

The bug, officially tracked arsenic CVE-2026-41940, allows malicious hackers to remotely bypass its login surface to summation afloat entree to the software’s medication panel. 

Given the ubiquity of the cPanel and WHM bundle crossed the web hosting industry, hackers could compromise perchance ample numbers of websites that haven’t patched the bug.

Canada’s nationalist cybersecurity bureau said in an advisory that the bug could beryllium exploited to compromise websites connected shared hosting servers, specified arsenic ample web hosting companies.

The bureau said that “exploitation is highly probable” and that contiguous enactment from cPanel customers, oregon their web hosts, is indispensable to forestall malicious access.

Web hosting elephantine Namecheap, which uses cPanel to let its customers to negociate their web servers, said the institution blocked entree to customers’ cPanel panels aft learning of the flaw to forestall exploitation, and to springiness it clip to spot its customers’ systems. 

Hostgator besides said it patched its systems and is considering the bug a “critical authentication-bypass exploit.”

One web hosting institution says it recovered grounds that hackers person been abusing the vulnerability for months earlier the attempts were discovered.

KnownHost CEO Daniel Pearson said in a station connected Reddit that his institution has seen attempts to exploit the vulnerability arsenic acold backmost arsenic February 23. The institution said it besides concisely began blocking entree to lawsuit systems earlier applying patches.

According to Pearson, astir 30 servers astatine KnownHost showed signs of unauthorized attempted entree retired of thousands of computers connected its network. Pearson likened the efforts to attempts, and has not seen signs of progressive compromise. cPanel besides said it rolled retired a information fix for WP Squared, a akin instrumentality for managing WordPress websites.