Safety researchers are sounding the alarm on a newly found vulnerability within the extensively used internet server administration software program cPanel and WebHost Supervisor (WHM).
The bug permits hackers to hijack and take full management of the servers working the affected software program, which is believed for use by tens of tens of millions of web site house owners all over the world.
Many industrial webhosting firms have patched their prospects’ techniques already. However the cPanel maker urged prospects to make sure that their techniques are patched because the bug impacts all supported variations of the software program.
cPanel and WHM are two software program suites used for managing internet servers that host web sites, handle emails, and deal with necessary configurations and databases wanted to keep up an web area. The 2 suites have deep-access to the servers that they handle, permitting a malicious hacker probably unrestricted entry to knowledge managed by the affected software program.
The bug, formally tracked as CVE-2026-41940, permits malicious hackers to remotely bypass its login display to achieve full entry to the software program’s administration panel.
Given the ubiquity of the cPanel and WHM software program throughout the webhosting business, hackers may compromise probably giant numbers of internet sites that haven’t patched the bug.
Canada’s nationwide cybersecurity company stated in an advisory that the bug might be exploited to compromise web sites on shared internet hosting servers, akin to giant webhosting firms.
The company stated that “exploitation is extremely possible” and that speedy motion from cPanel prospects, or their internet hosts, is important to stop malicious entry.
Website hosting big Namecheap, which makes use of cPanel to permit its prospects to handle their internet servers, stated the corporate blocked entry to prospects’ cPanel panels after studying of the flaw to stop exploitation, and to offer it time to patch its prospects’ techniques.
Hostgator additionally stated it patched its techniques and is contemplating the bug a “important authentication-bypass exploit.”
One webhosting firm says it discovered proof that hackers have been abusing the vulnerability for months earlier than the makes an attempt have been found.
KnownHost CEO Daniel Pearson stated in a put up on Reddit that his firm has seen makes an attempt to use the vulnerability way back to February 23. The corporate stated it additionally briefly started blocking entry to buyer techniques earlier than making use of patches.
In line with Pearson, round 30 servers at KnownHost confirmed indicators of unauthorized tried entry out of 1000’s of computer systems on its community. Pearson likened the efforts to makes an attempt, and has not seen indicators of energetic compromise. cPanel additionally stated it rolled out a security repair for WP Squared, an analogous software for managing WordPress web sites.
Whenever you buy via hyperlinks in our articles, we could earn a small fee. This doesn’t have an effect on our editorial independence.
