Cybercriminals exploit cPanel vulnerability to hijack thousands of websites

Nearly a week after the makers of the widely used web server management software cPanel and WebHost Manager warned users about a critical flaw in their platform, hackers have begun mass-compromising thousands of websites that depend on the affected systems.

As of Monday, more than 550,000 servers running cPanel remain potentially exposed, a figure that has held steady for several days. At the same time, roughly 2,000 cPanel instances are believed to have been compromised, a decline from approximately 44,000 reported on Thursday. These figures come from Shadowserver Foundation, a nonprofit that continuously scans and monitors the internet for signs of cyber threats and attacks.

Security researchers first raised alarms on Thursday, noting that attackers had begun exploiting servers running cPanel and WHM. By exploiting a vulnerability in the software, hackers gained full administrative control over affected systems, effectively hijacking servers via their control panels.

According to reporting by Bleeping Computer, the scale of the damage is partly visible through search engine indexing. Google has catalogued dozens of compromised websites that, at various points, displayed messages from a hacking group claiming responsibility for encrypting files in what appears to be ransomware attacks. Some of those affected websites have since returned to normal operation.

The ransom notes left behind included a chat ID, allowing victims to contact the attackers directly.

The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning on Thursday, confirming that the vulnerability — identified as CVE-2026-41940 — is being actively exploited in real-world attacks. The agency added the flaw to its Known Exploited Vulnerabilities (KEV) catalogue and instructed federal agencies to apply patches by Sunday. CISA has not yet responded to requests for confirmation on whether government systems have been fully updated.

Evidence suggests that these attacks may have started well before the vulnerability became publicly known. According to KnownHost CEO Daniel Pearson, his company observed suspicious activity linked to the flaw as early as February 23, suggesting that threat actors may have been exploiting the weakness for weeks before disclosure.