Hackers are still exploiting the cPanel bug to gain control of thousands of websites

Software designed to grant administrators total control over web environments has instead become a primary mechanism for their subjugation. Despite critical security alerts issued to close a major breach in cPanel and WebHost Manager (WHM), hackers are still exploiting the cPanel bug to gain control of thousands of websites across the global internet.

The gap between identifying this flaw and widespread remediation has created extreme instability for web hosting infrastructure worldwide, leaving a massive portion of the internet exposed.

A Massive Attack Surface Under Siege

The sheer scale of the current threat landscape is difficult to overstate. Recent data from Shadowserver indicates that more than 550,000 servers running cPanel remain in a potentially vulnerable state, representing a massive, unpatched attack surface.

While there has been a notable decrease in active compromises—dropping from an estimated 44,000 instances on Thursday to approximately 2,000 by Monday—the remaining hijacked servers represent a significant ongoing risk. The stability of the number of vulnerable servers suggests that many administrators have yet to implement critical updates. This stagnation allows attackers to continue scanning for targets with high efficiency. Because cPanel is a cornerstone of modern web hosting, a single unpatched instance can serve as a staging ground for much larger-scale network intrusions.

Ransomware and the Visible Trail of Compromise

The impact of this cPanel bug extends far beyond simple unauthorized access; it has manifested as a visible, public-facing catastrophe. Security researchers have observed dozens of websites appearing in Google search results displaying blatant ransom notes. These messages, left by unidentified hacking groups, claim the encryption of victim files and provide communication channels for attackers to demand payment via chat IDs.

The nature of the vulnerability, tracked as CVE-2026-41940, allows attackers to take full control of vulnerable servers through their management panels. This level of access means that once a breach occurs, the attacker essentially inherits the permissions of the server administrator. The visibility of these attacks on major search engines highlights a terrifying reality: hackers are not merely seeking quiet data exfiltration, but are actively using hijacked control panels to stage high-profile extortion attempts.

Key Facts Regarding the Breach

• CVE-2026-41940: The specific identifier for this critical control panel vulnerability.
• Webpros Infrastructure: The developer of cPanel manages software that powers an estimated 60 million domains.
• Detection Discrepancy: Malicious activity was detected as early as February 23, weeks before recent widespread alerts.
• CISA Mandate: Federal agencies were urged to patch their systems by the end of last week to mitigate risk.

The Timeline of a Silent Breach

The window of opportunity for attackers likely began much earlier than recent public alarms suggest. While official alerts have recently gained traction, industry experts have reported detecting malicious activity as far back as late February. This discrepancy between initial exploitation and widespread disclosure highlights the extreme difficulty in managing zero-day threats within complex software ecosystems.

The gravity of the situation has forced a response from major regulatory bodies. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added this flaw to its Known Exploited Vulnerabilities (KEV) catalog, a move that signals the severity of the threat to government agencies and critical infrastructure.

The Verdict on Infrastructure Security

As organizations race to patch their systems, the industry faces a sobering reality regarding the lifecycle of modern exploits. The transition from discovery to mass exploitation happens in hours, yet the timeline for global remediation often stretches into weeks.

For those managing web infrastructure, this incident serves as a stark reminder that even the most trusted management tools can be turned against their owners if the patch cycle is not treated with absolute urgency. Moving forward, the focus must shift from reactive patching to more robust, automated vulnerability management to prevent the next wave of hijacking.