Nearly a week after the makers of the popular web server management software cPanel and WebHost Manager (WHM) alerted users of a critical flaw in its software, hackers are now mass-compromising thousands of websites that rely on the vulnerable software.
As of Monday, there are more than 550,000 potentially vulnerable servers running cPanel, a number that has remained stable for days. And there are now around 2,000 cPanel instances likely compromised, down from around 44,000 on Thursday. These statistics are published by Shadowserver, a nonprofit organization that scans and monitors the internet for cyberattacks.
On Thursday, security researchers alerted that hackers started compromising servers running cPanel and WHM, taking advantage of a bug that allowed the attackers to take full control of and hijack the vulnerable servers via their control panels.
As Bleeping Computer reported, some of the extent of damage so far is visible by the fact that Google has indexed dozens of websites that at some point displayed a message from a group of hackers that claimed to have encrypted the victim’s files in an apparent ransomware attack. Some of those sites now load normally.
The ransom note included a chat ID for the victims to contact the hackers, who did not immediately respond to TechCrunch’s request for comment.
U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned on Thursday that the vulnerability — tracked as CVE-2026-41940 — was being exploited in the wild, and added it to its Known Exploited Vulnerabilities (KEV) catalog. CISA asked government agencies to patch by Sunday. CISA did not immediately respond to a request for comment, asking whether it could confirm that government agencies have patched their servers.
The attacks against web servers running cPanel and WHM have likely been ongoing since much earlier than the vulnerability was disclosed. According to KnownHost CEO Daniel Pearson, his company detected attacks as far back as February 23.
An unnamed spokesperson for cPanel acknowledged receipt of TechCrunch’s request for comment, but did not provide a response.
Updated with response from cPanel.
Topics
cPanel, cyberattack, cybersecurity, hackers, Security, web hostingWhen you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.
Lorenzo Franceschi-Bicchierai
Senior Reporter, Cybersecurity
Lorenzo Franceschi-Bicchierai is a Senior Writer at TechCrunch, where he covers hacking, cybersecurity, surveillance, and privacy.
You can contact or verify outreach from Lorenzo by emailing lorenzo@techcrunch.com, via encrypted message at +1 917 257 1382 on Signal, and @lorenzofb on Keybase/Telegram.
View Bio
StrictlyVC Athens is up next. Hear unfiltered insights straight from Europe’s tech leaders and connect with the people shaping what’s ahead. Lock in your spot before it’s gone.
-
This tiny, magnetic e-reader could stop you from doomscrolling
- Amanda Silberling
-
Uber wants to turn its millions of drivers into a sensor grid for self-driving companies
- Connie Loizos
-
Y Combinator alum Skio sells for $105M cash, only raised $8M, founder says
- Julie Bort
-
Hackers are actively exploiting a bug in cPanel, used by millions of websites
- Zack Whittaker
-
Elon Musk testifies that xAI trained Grok on OpenAI models
- Tim Fernholz
-
Amazon, Meta join fight to end Google Pay, PhonePe dominance in India
- Jagmeet Singh
-
On the stand, Elon Musk can’t escape his own tweets
- Tim Fernholz