cPanel Issues Second Emergency Security Patch Following Ransomware Breach of 44,000 Servers
A rapid response update follows the May 8 attack on cPanel and WHM infrastructure, though specific details of the new flaws remain undisclosed in current reports.
On 9 May 2026, cPanel issued a second emergency security patch to address three newly identified vulnerabilities affecting its web hosting control panel software. This critical update arrives just ten days after a significant ransomware attack compromised approximately 44,000 servers running cPanel or WHM on 8 May 2026. The initial breach exploited an authentication bypass flaw identified as CVE-2026-41940, allowing attackers to gain unauthorised access to the compromised infrastructure.
The rapid release of a follow-up patch indicates an urgent effort by the software provider to stabilise its security posture in the wake of the incident. According to reporting from Copahost, a hosting provider that monitors cPanel security advisories, the second update was deployed quietly shortly after the initial compromise became public knowledge. While the speed of the response suggests a coordinated defence strategy, the lack of immediate fanfare has drawn attention to the severity of the ongoing threat landscape facing web hosting environments.
Despite the urgency of the situation, the specific nature and severity of the three new vulnerabilities addressed in this second patch have not been disclosed by name or assigned a CVE number in the available source material. This absence of technical detail limits the ability for system administrators to fully assess the risk profile of the new flaws without waiting for further official advisories. The report notes that the update covers these three new issues, but the truncated nature of the current information prevents a granular breakdown of the vulnerabilities involved.
The initial attack on 8 May 2026 resulted in the deployment of ransomware across the 44,000 affected servers, highlighting the potential scale of the damage caused by the authentication bypass. While the full scope of the attack and the specific strain of ransomware used have not been elaborated upon in the provided text, the number of compromised systems underscores the systemic risk associated with vulnerabilities in widely used control panel software. The figure of 44,000 servers remains the confirmed metric based on reporting from Copahost and may require verification against official cPanel security advisories.
For operators running cPanel or WHM, the situation demands immediate attention to ensure all systems are updated with the latest emergency patches. The sequence of events, moving from an initial exploitation to a rapid secondary patch release within a ten-day window, illustrates the volatile nature of modern cyber threats targeting critical internet infrastructure. Stakeholders must remain vigilant as the security community continues to monitor the situation for further disclosures regarding the technical specifics of the new vulnerabilities.
