Safety researchers are sounding the alarm on a newly found vulnerability within the extensively used internet server administration software program cPanel and WebHost Supervisor (WHM).
The bug permits hackers to hijack and take full management of the servers operating the affected software program, which is assumed for use by tens of thousands and thousands of web site homeowners world wide.
Many industrial website hosting firms have patched their prospects’ techniques already. However the cPanel maker urged prospects to make sure that their techniques are patched because the bug impacts all supported versions of the software.
cPanel and WHM are two software program suites used for managing internet servers that host web sites, handle emails, and deal with vital configurations and databases wanted to keep up an web area. The 2 suites have deep-access to the servers that they handle, permitting a malicious hacker doubtlessly unrestricted entry to information managed by the affected software program.
The bug, formally tracked as CVE-2026-41940, permits malicious hackers to remotely bypass its login display to realize full entry to the software program’s administration panel.
Given the ubiquity of the cPanel and WHM software program throughout the website hosting trade, hackers may compromise doubtlessly massive numbers of internet sites that haven’t patched the bug.
Canada’s nationwide cybersecurity company mentioned in an advisory that the bug might be exploited to compromise web sites on shared internet hosting servers, resembling massive website hosting firms.
The company mentioned that “exploitation is extremely possible” and that fast motion from cPanel prospects, or their internet hosts, is important to stop malicious entry.
Webhosting big Namecheap, which makes use of cPanel to permit its prospects to handle their internet servers, mentioned the corporate blocked entry to prospects’ cPanel panels after studying of the flaw to stop exploitation, and to provide it time to patch its customers’ systems.
HostGator additionally mentioned it patched its systems and is contemplating the bug a “vital authentication-bypass exploit.”
One website hosting firm says it discovered proof that hackers have been abusing the vulnerability for months earlier than the makes an attempt have been found.
KnownHost CEO Daniel Pearson mentioned in a post on Reddit that his firm has seen makes an attempt to use the vulnerability way back to February 23. The corporate said it additionally briefly started blocking entry to buyer techniques earlier than making use of patches.
According to Pearson, round 30 servers at KnownHost confirmed indicators of unauthorized tried entry out of 1000’s of computer systems on its community. Pearson likened the efforts to makes an attempt, and has not seen indicators of lively compromise. cPanel additionally mentioned it rolled out a security fix for WP Squared, an identical device for managing WordPress web sites.
Whenever you buy by hyperlinks in our articles, we could earn a small fee. This doesn’t have an effect on our editorial independence.
