Hackers Mass-Exploiting Critical cPanel Flaw, Thousands of Websites Compromised

In a significant cybersecurity alert, hackers are currently engaged in a widespread exploitation of a critical vulnerability within cPanel and WebHost Manager (WHM) software, leading to the compromise of thousands of websites. This mass exploitation comes nearly a week after the developers of the popular web server management tools first notified users of the flaw, which allows attackers to gain full control over vulnerable servers. According to data published by Shadowserver, a non-profit organization dedicated to monitoring cyberattacks, there are still over 550,000 cPanel servers potentially vulnerable to this exploit. While the number of likely compromised instances has decreased from approximately 44,000 on Thursday to around 2,000 as of Monday, the persistent high number of vulnerable servers underscores the ongoing risk. The flaw enables attackers to hijack servers directly through their control panels, posing a severe threat to web administrators. Reports indicate that the extent of the damage includes instances of ransomware attacks. Bleeping Computer highlighted that Google has indexed dozens of websites that, at one point, displayed messages from hacker groups claiming to have encrypted victims' files. These ransom notes often included chat IDs for victims to contact the attackers, though the hackers have not yet responded to inquiries regarding these incidents. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken the serious step of adding this vulnerability, tracked as CVE-2026-41940, to its Known Exploited Vulnerabilities (KEV) catalog. CISA issued a stark warning that the flaw was being actively exploited in the wild and mandated that government agencies patch their systems by Sunday. This proactive measure by CISA emphasizes the critical nature of the threat. Interestingly, evidence suggests that these attacks against cPanel and WHM servers may have been underway much earlier than the public disclosure of the vulnerability. Daniel Pearson, CEO of KnownHost, reported that his company detected attacks targeting their systems as far back as February 23. Despite the gravity of the situation and repeated requests for comment, a spokesperson for cPanel acknowledged receipt of TechCrunch's inquiry but did not provide an immediate response regarding the ongoing exploitation or mitigation efforts.