Mass Exploitation of the cPanel Bug Is Actively Compromising Thousands of Websites

Tomáš Král

4 May 2026

Add Informer Tech
as a preferred source

cPanel Bug Mass-Exploited: Thousands of Websites at Risk

The Scale of the Problem Is Hard to Ignore

Here's what's happening right now, and honestly, it's kind of alarming. Hackers are actively mass-exploiting a critical flaw in cPanel and WebHost Manager (WHM) — software that powers a staggering number of websites — and the damage is already visible across the internet.

As of this Monday, there are more than 550,000 potentially vulnerable servers still running cPanel. That number has held steady for days. And around 2,000 cPanel instances are likely already compromised — down from a peak of roughly 44,000 on Thursday alone. Those figures come from Shadowserver, a nonprofit that continuously scans and monitors the internet for cyberattacks.

That drop from 44,000 to 2,000 might sound like good news. And in a way it is. But "2,000 compromised servers" is still 2,000 too many.

What the Vulnerability Actually Is

The flaw — tracked as CVE-2026-41940 — lets attackers take full control of vulnerable servers through their own control panels. Think about that for a second. The very tool designed to help admins manage their servers became the entry point for a takeover.

The bug affects cPanel and WHM, and it's bad enough that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities catalog on Thursday. CISA also told government agencies to patch by Sunday. Whether they all did is still unclear — CISA didn't respond to requests to confirm compliance.

cPanel's makers were made aware of the issue, but beyond acknowledging receipt of a request for comment, they haven't said anything publicly.

Ransomware Is Already in the Picture

This isn't just about someone quietly poking around servers. Some of the attacked sites displayed ransom notes — messages from hackers claiming they'd encrypted the victims' files. Google actually indexed dozens of those pages at some point, which is a striking way to measure how widespread the damage got. Some of those sites have since gone back to loading normally, which suggests either the ransom was paid or the attackers moved on.

The ransom notes included a chat ID for victims to contact the hackers. TechCrunch reached out to that channel. No response.

The Attacks Started Way Earlier Than Anyone Announced

Here's the part that stings a little. By the time the vulnerability was publicly disclosed, attacks had apparently already been going on for months. According to KnownHost CEO Daniel Pearson, his company detected attack activity as far back as February 23 — more than two months before the public warning went out.

That's the quiet, uncomfortable reality of a lot of these exploits. By the time the rest of the world knows about a vulnerability, someone else has already been quietly taking advantage of it.

Who Knew and When

Security researchers flagged that hackers had started actively compromising cPanel and WHM servers on Thursday, April 30. CISA issued its warning the same day. The timeline is tight and the response, for many, may have come too late.

The attack chain is straightforward enough to be scalable — which explains why the numbers ballooned so quickly before starting to come down. Automated mass exploitation doesn't require much sophistication once someone has a working exploit for a bug this critical.