Cybercriminals are exploiting a recently discovered vulnerability in cPanel and WebHost Manager on a large scale. These widely used web server management tools appear to contain a serious security flaw that allows attackers to gain full control of systems that have not yet been updated.
Although the software’s developers previously warned users and released a fix, a large number of servers remain vulnerable, according to TechCrunch. Since early last week, more than 550,000 servers running cPanel worldwide have been potentially vulnerable. That number has remained virtually unchanged for several days. At the same time, the number of suspected compromised installations has dropped to about 2,000, down from approximately 44,000 on Thursday. These figures come from the Shadowserver Foundation, an organization that actively monitors the internet for threats and attacks.
Ransomware-like tactics
Security researchers observed that attackers were actively exploiting the vulnerability to gain access to server control panels. This allowed them to take over and modify websites. In some cases, messages appeared on affected sites stating that files had been encrypted, indicating ransomware-like practices. Some of these websites are now functioning normally again, suggesting that administrators have intervened.
The vulnerability, registered as CVE-2026-41940, is now on the U.S. Cybersecurity and Infrastructure Security Agency (CISA) list of actively exploited security issues. Government agencies were strongly advised to patch their systems quickly, though it is unclear to what extent this has been done everywhere.
According to hosting company KnownHost, there had already been earlier signs of attacks potentially related to this vulnerability. This suggests that the vulnerability was already being exploited before it was publicly disclosed.