Nearly a week has passed since the makers of the popular web server management software cPanel and WebHost Manager (WHM) warned users of a critical flaw in their software, but hackers are still targeting thousands of websites using the vulnerable software.
As of Monday, there were more than 550,000 potentially vulnerable servers running cPanel, and that number has remained stable for several days. And there are now about 2,000 potentially compromised cPanel instances, down from about 44,000 on Thursday. These statistics are published by Shadowserver, a nonprofit organization that scans the Internet for cyberattacks.
On Thursday, security researchers warned that hackers have begun compromising servers running cPanel and WHM by leveraging a bug that allows attackers to take full control and take over vulnerable servers via the control panel.
As reported by Bleeping Computer, the extent of the damage is evidenced by the fact that Google indexed dozens of websites that at one point displayed messages from a hacker group that claimed to have encrypted victims' files in an apparent ransomware attack. Some of those sites now load correctly.
The ransom note included a chat ID for victims to contact the hackers, which did not immediately respond to TechCrunch's request for comment.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned that the vulnerability (tracked as CVE-2026-41940) is being exploited in the wild and added it to its Known Exploited Vulnerabilities (KEV) catalog. CISA asked government agencies to apply the patch by Sunday. CISA did not immediately respond to a request for comment asking if it could confirm that the agency had patched its servers.
Attacks against web servers running cPanel and WHM may have been ongoing long before vulnerabilities were made public. KnownHost CEO Daniel Pearson said his company detected the attack on February 23rd.
tech crunch event
San Francisco, CA | October 13-15, 2026
Executives at Webpros, which develops cPanel and WHM and claims to support 60 million domains, did not respond to requests for comment.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.