Hackers are still exploiting the cPanel bug to gain control of thousands of websites

Nearly a week aft the makers of the fashionable web server absorption bundle cPanel and WebHost Manager (WHM) alerted users of a captious flaw successful its software, hackers are inactive targeting thousands of websites that usage the susceptible software. 

As of Monday determination are more than 550,000 perchance susceptible servers moving cPanel, a fig that has remained unchangeable for days. And determination are present around 2,000 cPanel instances apt compromised, down from astir 44,000 connected Thursday. These statistic are published by Shadowserver, a nonprofit enactment that scans and monitors the net for cyberattacks. 

On Thursday, information researchers alerted that hackers started compromising servers moving cPanel and WHM, taking vantage of a bug that allowed the attackers to instrumentality afloat power of and hijack the susceptible servers via their power panels. 

As Bleeping Computer reported, the grade of the harm is disposable by the information that Google has indexed dozens of websites that astatine immoderate constituent displayed a connection from a radical of hackers that claimed to person encrypted the victim’s files successful an evident ransomware attack. Some of those sites present load normally.  

The ransom enactment included a chat ID for the victims to interaction the hackers, who did not instantly respond to TechCrunch’s petition for comment. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned connected Thursday that the vulnerability — tracked arsenic CVE-2026-41940 — was being exploited successful the wild, and added it to its Known Exploited Vulnerabilities (KEV) catalog. CISA asked authorities agencies to spot by Sunday. CISA did not instantly respond to a petition for comment, asking whether it could corroborate that authorities agencies person patched their servers. 

The attacks against web servers moving cPanel and WHM person apt been ongoing since overmuch earlier than the vulnerability was disclosed. According to KnownHost CEO Daniel Pearson, his institution detected attacks arsenic acold backmost arsenic February 23.

Executives astatine Webpros, the institution that develops cPanel and WHM and says it powers 60 cardinal domains, did not respond to a petition for comment.