Hackers Are Actively Exploiting a Bug In cPanel, Used By Millions of Websites

Hackers are actively exploiting a critical cPanel and WHM vulnerability, tracked as CVE-2026-41940, that allows remote attackers to bypass the login screen and gain full administrative access to affected web servers. Major hosts including Namecheap, HostGator, and KnownHost have taken mitigation steps or patched systems, but cPanel is urging all customers and web hosts to update immediately because the software is widely used across millions of websites. TechCrunch reports: cPanel and WHM are two software suites used for managing web servers that host websites, manage emails, and handle important configurations and databases needed to maintain an internet domain. The two suites have deep-access to the servers that they manage, allowing a malicious hacker potentially unrestricted access to data managed by the affected software.

Given the ubiquity of the cPanel and WHM software across the web hosting industry, hackers could compromise potentially large numbers of websites that haven't patched the bug. Canada's national cybersecurity agency said in an advisory that the bug could be exploited to compromise websites on shared hosting servers, such as large web hosting companies.

The agency said that "exploitation is highly probable" and that immediate action from cPanel customers, or their web hosts, is necessary to prevent malicious access. [...] One web hosting company says it found evidence that hackers have been abusing the vulnerability for months before the attempts were discovered.

ah yep

[psycandy]

cpanel on my site compromised a few months ago, host told everyone to go 2FA. I thought it was injection, to alter the notification email and intercept the passwords when reset but was in no doubt cpanel had a critical issue, not that you'd guess that was the case.

Customers Update

[nuckfuts]

cPanel is urging all customers and web hosts to update immediately.

For hosted websites, is this not something the web host should be doing for their customers?

Re:

[Anonymous Coward]

Oh, sweet summer child.

Re:

[Tablizer]

I believe they meant in the general sense, not necessarily very-end-users.

Re:

[nuckfuts]

very-end-users.

Haven't heard that term before. I like it :)

Re:

[Tablizer]

Just don't take it too literally ;-)

Re:

[Burdell]

"should" is doing some heavy lifting there.

But if you're concerned about a cPanel server where you have a site, you could just exploit the hole to gain admin access and then apply the update.

Re:

[CEC-P]

In my experience, it's something ONLY the host can do for the customers. We can't usually patch our own cpanel version on shared servers. You sometimes can't on rented servers unless you did the install yourself.

Chained to Copyfail

[bill_mcgonigle]

They get auth through CPanel then get root through Copyfail.

Brace for impact.

Re:Chained to Copyfail

[DarkOx]

CopyFail only affects kernels from 2017 on, nothing that new is running CPanel

Re:

[dclaw]

cPanel is still in active use and development and runs on all modern operating systems.

Re:

[hcs_$reboot]

Systems are dropping like flies, and this is only the beginning.
AI hasn’t even shown its true capabilities yet.

Brace for impact.

Indeed.

So what?

[devslash0]

cPanel has been under attack via different exploits for a long, long, looooooong time.

Just look at how long its CVE history is.

Namecheap Mitigations

[mackil]

Namecheap actually shut off [kensai.app] access to my cpanel for a few hours, while they applied "mitigations". I hope it's enough.