A recently found vulnerability in the popular web server administration programs cPanel and WebHost Manager (WHM) has security researchers raising the alarm.
Tens of millions of website owners worldwide are believed to be using the impacted software, which the weakness enables hackers to take over and fully control of.
Numerous business web hosting providers have already fixed their clients’ systems.However, as the flaw affects all supported versions of the software, the cPanel manufacturer advised users to make sure their systems are fixed.
Web servers that host websites, handle emails, and manage crucial configurations and databases required to operate an internet domain are managed by two software suites called cPanel and WHM.Due to the two suites’ deep access to the servers they oversee, a malevolent hacker may be able to access data controlled by the compromised program without any limitations.
Malicious hackers can remotely bypass the software’s login page and obtain complete access to its administration panel thanks to a problem that is officially tagged as CVE-2026-41940.
Because WHM and cPanel are so widely used in the web hosting sector, hackers may be able to compromise a significant number of unpatched domains.
The issue might be used to compromise websites on shared hosting servers, like those of big web hosting firms, according to an advisory from Canada’s national cybersecurity agency.
According to the agency, “exploitation is extremely possible” and cPanel clients or their web hosts must take quick action to stop fraudulent access.
In order to prevent exploitation and to give it time to repair its customers’ systems, web hosting behemoth Namecheap, which utilizes cPanel to enable its clients to control their web servers, said it disabled access to clients’ cPanel panels after discovering the vulnerability.
Additionally, HostGator stated that it has patched its systems and views the flaw as a “serious authentication-bypass attack.
Before the attempts were detected, one site hosting provider claims to have discovered evidence of hackers abusing the vulnerability for months.
Daniel Pearson, the CEO of KnownHost, stated in a Reddit post that attempts to exploit the issue date back to February 23.The company said it also briefly began limiting access to client systems before releasing fixes.
Pearson claims that out of thousands of machines on KnownHost’s network, about thirty servers displayed indications of unwanted access attempts. Pearson has not observed any indications of active compromise and compared the initiatives to attempts.Additionally, cPanel announced the release of a security patch for WP Squared, a comparable WordPress website management solution.
Leave feedback about this