Thousands of cPanel Servers Remain Vulnerable as Hackers Continue Exploitation Campaign
The U.S. Cybersecurity and Infrastructure Security Agency has listed the flaw in its Known Exploited Vulnerabilities catalog with a strict deadline for government agencies to patch.
A critical vulnerability in the widely used web server management software cPanel and WHM continues to be actively exploited by cybercriminals, leaving thousands of servers compromised globally. As of Monday, monitoring data indicates approximately 2,000 instances have likely been taken over by attackers, a significant reduction from the roughly 44,000 instances recorded on Thursday.
These figures are drawn from Shadowserver, a nonprofit organisation that scans and monitors the internet for cyberattacks. The organisation reports that while the number of confirmed compromises has stabilised at around 2,000, the broader threat landscape remains severe. More than 550,000 servers running the software remain potentially vulnerable, presenting a persistent risk for the global web infrastructure.
The specific flaw, tracked as CVE-2026-41940, allows attackers to gain full control and hijack vulnerable servers directly via the control panel. Evidence of the ongoing campaign is visible in the wild, with Google indexing dozens of websites that have displayed ransomware messages claiming to have encrypted victim files. Although some of these sites have since returned to normal operation, the ransom notes included contact details for the operators, who have not yet responded to requests for comment.
In response to the active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities catalog on Thursday. The agency issued a specific warning urging government agencies to apply necessary security patches by Sunday. CISA has not yet confirmed whether all government bodies have successfully completed the remediation process.
Indications suggest the attack campaign predates the public disclosure of the flaw. Daniel Pearson, CEO of KnownHost, noted that his company detected intrusions as early as 23 February. This timeline implies that the software was being targeted well before the vulnerability was formally disclosed to the public.
Executives at Webpros, the developer of cPanel and WHM which powers approximately 60 million domains globally, have not provided an official statement regarding the incident or a timeline for a complete resolution. The situation underscores the critical importance of timely patching for organisations relying on this ubiquitous hosting infrastructure.
