Hackers Are Actively Exploiting a Bug In cPanel, Used By Millions of Websites

Hackers are actively exploiting a critical cPanel and WHM vulnerability, tracked as CVE-2026-41940, that allows remote attackers to bypass the login screen and gain full administrative access to affected web servers. Major hosts including Namecheap, HostGator, and KnownHost have taken mitigation steps or patched systems, but cPanel is urging all customers and web hosts to update immediately because the software is widely used across millions of websites. TechCrunch reports: cPanel and WHM are two software suites used for managing web servers that host websites, manage emails, and handle important configurations and databases needed to maintain an internet domain. The two suites have deep-access to the servers that they manage, allowing a malicious hacker potentially unrestricted access to data managed by the affected software.

Given the ubiquity of the cPanel and WHM software across the web hosting industry, hackers could compromise potentially large numbers of websites that haven't patched the bug. Canada's national cybersecurity agency said in an advisory that the bug could be exploited to compromise websites on shared hosting servers, such as large web hosting companies.

The agency said that "exploitation is highly probable" and that immediate action from cPanel customers, or their web hosts, is necessary to prevent malicious access. [...] One web hosting company says it found evidence that hackers have been abusing the vulnerability for months before the attempts were discovered.

ah yep

[psycandy]

cpanel on my site compromised a few months ago, host told everyone to go 2FA. I thought it was injection, to alter the notification email and intercept the passwords when reset but was in no doubt cpanel had a critical issue, not that you'd guess that was the case.

Customers Update

[nuckfuts]

cPanel is urging all customers and web hosts to update immediately.

For hosted websites, is this not something the web host should be doing for their customers?

Re:

[Anonymous Coward]

Oh, sweet summer child.

Re:

[Tablizer]

I believe they meant in the general sense, not necessarily very-end-users.

Re:

[nuckfuts]

very-end-users.

Haven't heard that term before. I like it :)

Re:

[Tablizer]

Just don't take it too literally ;-)

Re:

[Burdell]

"should" is doing some heavy lifting there.

But if you're concerned about a cPanel server where you have a site, you could just exploit the hole to gain admin access and then apply the update.

Re:Customers Update

[CEC-P]

In my experience, it's something ONLY the host can do for the customers. We can't usually patch our own cpanel version on shared servers. You sometimes can't on rented servers unless you did the install yourself.

Re:

[tlhIngan]

cPanel is urging all customers and web hosts to update immediately.

For hosted websites, is this not something the web host should be doing for their customers?

If you're using a webhost, you're not a customer of cPanel. You're a customer of the webhost.

Webhosts are the customers of cPanel - thus they should be updating. But you as a customer of the webhost, cannot do a thing about it. cPanel is saying all the customers of their software need to update. And you the webmaster of your website, are not their cus

Chained to Copyfail

[bill_mcgonigle]

They get auth through CPanel then get root through Copyfail.

Brace for impact.

Re:Chained to Copyfail

[DarkOx]

CopyFail only affects kernels from 2017 on, nothing that new is running CPanel

Re:

[dclaw]

cPanel is still in active use and development and runs on all modern operating systems.

Re:

[Dagmar d'Surreal]

...but why? Haven't people figured out by now that cPanel needs a very serious and very careful going over before being run on anything more powerful than a personal massager? It might be "easy" but people are trading an hour of reading for extreme amounts of pain at some random point in the next 3 years.

Re:

[hcs_$reboot]

Systems are dropping like flies, and this is only the beginning.
AI hasn’t even shown its true capabilities yet.

Brace for impact.

Indeed.

Re:

[ksw_92]

Don't even need Copyfail. The broken auth logic grants root itself.

So what?

[devslash0]

cPanel has been under attack via different exploits for a long, long, looooooong time.

Just look at how long its CVE history is.

Namecheap Mitigations

[mackil]

Namecheap actually shut off [kensai.app] access to my cpanel for a few hours, while they applied "mitigations". I hope it's enough.

Should publishers disable known hackable versions?

[OneOfMany07]

It'd certainly help everyone move to versions that are secure if the insecure versions would turn themselves off. Meaning the creator/publisher would remove approval for easily broken/hacked versions, and after a few warnings would disable/block the broken versions from running at all.

Yes, I'm aware of issues with this pattern, but it still sounds "more secure" than what's typical today (relying on each separate developer to decide to upgrade).