Hackers are still aggressively exploiting a critical bug in cPanel and WHM, the widely used web hosting control software that powers countless websites across the internet. The flaw, tracked as CVE-2026-41940, lets attackers bypass the login screen and seize administrative access to affected servers without a password. Because cPanel is deeply embedded in shared hosting environments, a single compromised server can expose many unrelated websites at once.
The scale of the problem is large. Security researchers say more than 550,000 cPanel servers may be vulnerable, while roughly 2,000 instances were believed to be compromised at the time of reporting, down from about 44,000 last week. That drop suggests some hosting providers and administrators have already begun cleaning up or blocking attacks, but the threat remains active and widespread.
What makes the issue especially dangerous is how much control the bug gives to attackers. Once inside, criminals can manage website files, databases, SSL certificates, and other critical settings tied to every site hosted on the server. In practice, that means they can deface websites, install backdoors, steal data, or redirect visitors to malicious pages, all from the control panel intended for legitimate administrators.
The vulnerability has also shown signs of being abused before the public disclosure. One hosting provider reported seeing exploitation attempts as early as late February, well before the issue was officially disclosed and patched. The U.S. Cybersecurity and Infrastructure Security Agency added the flaw to its Known Exploited Vulnerabilities catalog, confirming that it is being used in real-world attacks and should be treated as an urgent patching priority.
For site owners, the response needs to be immediate and practical. Systems should be patched to the latest cPanel and WHM releases, exposed login panels should be restricted where possible, and administrators should check for unauthorized users, modified files, suspicious SSH keys, and unexpected database changes. Hosting providers such as Namecheap, HostGator, and KnownHost have already taken emergency steps, including temporarily blocking access while they applied fixes. The wider lesson is that a single authentication-bypass flaw in a core admin tool can become a large-scale internet incident almost overnight.