cPanel exploit hits 40,000 servers

cPanel is the control panel a huge chunk of the web runs on. That matters because a bug there is not just “one server got popped” — it can mean full control of the machine that manages websites, databases, email, and customer accounts. The news is that attackers are now exploiting a newly patched cPanel and WHM flaw at internet scale, and the blast radius already looks ugly. Security researchers are tying the campaign to tens of thousands of systems and to follow-on activity that includes botnet infections and ransomware. (securityweek.com) ### What broke in cPanel? The bug is CVE-2026-41940, a critical pre-authentication bypass in cPanel and WebHost Manager. “Pre-auth” is the scary part — an attacker does not need valid credentials first. The flaw sits in the login and session-handling flow, where specially crafted input can end up writing attacker-controlled values into a session file and then reloading that file as if it were legitimate. That can turn into administrative access on the server. (securityweek.com) ### Why is admin access such a big deal? WHM is the root-level side of cPanel. If an attacker gets in there, the game is basically over for that host. They can touch site configs, databases, hosted domains, and the rest of the control plane. This is why shared hosting incidents spread pain sideways — one exposed panel can sit above many customer websites at once. (securityweek.com) ### Where does the 40,000 number come from? The 40,000-plus figure is not a clean census of confirmed hacked boxes. It is an estimate built from internet-scale observations. Shadowserver said the spike reflected about 44,000 unique IPs seen scanning, brute-forcing, or running exploits against its honeypot sensors. Censys, looking at a separate dataset, s(securityweek.com)those together and the picture is the same — exploitation went broad, fast. (securityweek.com) ### Was this already being abused before the patch? Yes — and that is one reason defenders are on edge. cPanel disclosed and patched the issue on April 28, 2026, but researchers say exploitation likely goes back to late February. Rapid7 noted public reporting that targeted zero-day abuse may have started around February 23, and SecurityWeek said activity spiked again after technical details and a proof of concept became public. (securityweek.com) ### What are attackers doing after they get in? Turns out there is not just one playbook. Censys says it is seeing at least two distinct paths: Mirai-style botnet activity and ransomware that appends a “.sorry” extension to encrypted files. That split matters because it suggests multiple groups moved in quickly once the bug was exposed, not one actor running one campaign. (censys.com) ### Why did this spread so quickly? Because cPanel is everywhere, and a lot of it is internet-facing by design. Rapid7 said a simple Shodan query returned roughly 1.5 million exposed cPanel instances. The catch is that patching is concentrated too. Censys says a relatively small group of big hosting providers accounts for nearly half the exposed footprint, so internet-wide cleanup depends heavily on how fast those operators move. (rapid7.com) ### What should admins do right now? Patch first, then assume patching alone is not enough. cPanel says all versions after 11.40 were affected and lists fixed builds across supported branches, with immediate updates and a cpsrvd restart required. The company also published a detection script and says that if a server is confirmed root-compromised, admins should migr(rapid7.com)cally — if you were exposed, treat this as a possible full-host compromise, not a routine login bug. (support.cpanel.net) ### Bottom line? This is the bad version of a hosting-panel bug — easy to reach, high privilege, and already industrialized. The headline number may move around, but the lesson will not: when a shared control plane gets a pre-auth admin bypass, patch windows collapse from days to hours. (securityweek.com)